Authentication and Access Control in Orbeon Builder

Hi All,

I too have similar problem from somany days I am posting this no one is responding.Not sure why username is not at all stored in database.

Also any idea where to enter username in weblogic like tomcat-use.xml?

Regards,

Smaran

 

From: paleandromus [mailto:[hidden email]]
Sent: Friday, March 04, 2011 8:23 PM
To: [hidden email]
Subject: [ops-users] Authentication and Access Control in Orbeon Builder

 

Hi everyone,

I'm trying to control access to application 'Form Builder' (Access Control for listing and editing forms).
For that I need first user authentication and then control what forms may be modified or not, based on user roles.

To do this, I followed the instructions listed on pages
- http://www.orbeon.com/orbeon/doc/reference-authentication
- http://wiki.orbeon.com/forms/doc/developer-guide/form-runner/access-control # TOC-Access-control-for-editing-forms

I use the sample application '/java-authentication/' for user authentication, and authentication works properly.
But managing roles through the file 'form-runner-roles.xml' does not work as expected.
The whole setup is as follows (first try, only users authentication):

---

tomcat-user.xml (Users in Tomcat)

<tomcat-users>

    <role rolename="orbeon-admin"/>

    <user name="administrador" password="orbeon" roles="orbeon-admin"/>

</tomcat-users>

---

web.xml

...

    <security-constraint>

        <web-resource-collection>

            <web-resource-name>Orbeon Builder</web-resource-name>

            <url-pattern>/fr/orbeon/builder/*</url-pattern>

        </web-resource-collection>

        <auth-constraint>

            <role-name>orbeon-admin</role-name>

        </auth-constraint>

    </security-constraint>

    <login-config>

        <auth-method>FORM</auth-method>

        <form-login-config>

            <form-login-page>/java-authentication/login</form-login-page>

            <form-error-page>/java-authentication/login-error</form-error-page>

        </form-login-config>

    </login-config>

    <security-role>

        <role-name>orbeon-admin</role-name>

    </security-role>

...

---

form-runner-roles.xml

<roles>

    <!-- Default for distribution: give everybody access to every form -->

    <role name="*" app="*" form="*"/>

</roles>

---

Trying to access the list of forms of 'Orbeon Builder' (which is shown by 'Orbeon Runner') http://[localhost]/orbeon/fr/orbeon/builder/summary, jumps to the authentication form in the url '/java-authentication/', right, is the expected behavior, once authenticated, is once again the summary page of 'Orbeon Builder ".

- Image: Login Form by the app '/java-authentication/
- Image: User info displayed by the app '/java-authentication/'
- Image: Session in Tomcat for the user authenticated (administrador)
- Image: Details of the session in Tomcat for the user

So far all right, but although there is an authenticated user in the context '/ orbeon' in Tomcat, 'Form Runner' or 'Form Builder' shows no reference to the user, or when you create or modify forms, data is not saved user in the 'USERNAME' table 'ORBEON_FORM_DATA', which remains empty although there is an authenticated user.

I tried this in the versions of Orbeon 'Orbeon Forms dev-3.7.1.201008230714' and 'Orbeon Forms Orbeon Forms 3.8.0.201005141841 PE' with the same result.
First question:
Am I missing any configuration for 'Form Builder'or 'Form Runner' display or use the authenticated user?
Trying to control access to editing the forms, by setting roles and access permissions of the file-runner-roles.xml form, show one of the tests made with the user already configured:

---

form-runner-roles.xml

<roles>

    <role name="<b>orbeon-admin</b>" app="*" form="*"/>

</roles>

---

It is assumed that the user 'administrator' which has the role 'orbeon-admin', should have access to edit any form, is that correct?, well, no way, always appears the message:
You do not have the privileges to access this page.

After doing multiple tests, with multiples users and configurations, if I change the default settings, the result is that access to any form editing or creation of new forms is blocked for all users (regardless of configuration, the blockade is total), appearing always the message mentioned earlier.
I have a second question:
Am I missing some detail in Orbeon to set or extra deployment to the 'Access control for editings forms' work as it should?

Thank you very much for your attention and help, greetings.

---

View this message in context: Authentication and Access Control in Orbeon Builder
Sent from the Orbeon Forms (ops-users) mailing list archive at Nabble.com.

Please do not print this email unless it is absolutely necessary.

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com

--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws