Authorization based on caller identy in external (restful) web service

Hi all

I would like my orbeon xform to submit to a restful web service that runs in a different web app from orbeon. For authorization purposes, I would like to authenticate the end user identity in my external web service … which is obviously not possible because orbeon performs the external ws call from the server side.

I was wondering for that reason whether it is possible to tell orbeon to send back the generated instance and have the browser client perform the ws call instead of the orbeon server side?

If not, any suggestions about how to tackle this issue?

Best regards,

Simon

--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

I am out of the office until 26th July

***********************************************************************************************

This email, including any attachment, is confidential and may be legally privileged. If you are not the intended recipient or if you have received this email in error, please inform the sender immediately by reply and delete all copies from your system. Do not retain, copy, disclose, distribute or otherwise use any of its contents.

 

Whilst we have taken reasonable precautions to ensure that this email has been swept for computer viruses, we cannot guarantee that this email does not contain such material and we therefore advise you to carry out your own virus checks. We do not accept liability for any damage or losses sustained as a result of such material.

 

Please note that incoming and outgoing email communications passing through our IT systems may be monitored and/or intercepted by us solely to determine whether the content is business related and compliant with company standards.

***********************************************************************************************

The Stationery Office Limited is registered in England No. 3049649 at 10 Eastbourne Terrace, London, W2 6LG

 

Simon,

You can setup Orbeon Forms to pass along the JSESSIONID cookie (or any
other cookie provided by the browser) when calling a REST or web
service, for the service to know what user the request came from. For
this you need to tell Orbeon Forms which cookie(s) you want to be
passed along. You can learn more about this on:

http://wiki.orbeon.com/forms/doc/developer-guide/configuration-properties/configuration-properties-base#TOC-HTTP-headers-forwarding

Alex

On Monday, July 19, 2010, Gunzenreiner Simon
<[hidden email]> wrote: --
Orbeon Forms - Web forms, open-source, for the Enterprise -
http://www.orbeon.com/
My Twitter: http://twitter.com/avernet


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

I am out of the office until 26th July

***********************************************************************************************

This email, including any attachment, is confidential and may be legally privileged. If you are not the intended recipient or if you have received this email in error, please inform the sender immediately by reply and delete all copies from your system. Do not retain, copy, disclose, distribute or otherwise use any of its contents.

 

Whilst we have taken reasonable precautions to ensure that this email has been swept for computer viruses, we cannot guarantee that this email does not contain such material and we therefore advise you to carry out your own virus checks. We do not accept liability for any damage or losses sustained as a result of such material.

 

Please note that incoming and outgoing email communications passing through our IT systems may be monitored and/or intercepted by us solely to determine whether the content is business related and compliant with company standards.

***********************************************************************************************

The Stationery Office Limited is registered in England No. 3049649 at 10 Eastbourne Terrace, London, W2 6LG

 

Hi Alex

Thanks a lot for the hint. This will actually work for me, since I indeed can propagation the caller identity by means of a header field.

In a case where this is not possible (e.g. for certificate based client authentication), what I described below it might be interesting for Orbeon forms to support none the less: If one could tell Orbeon to send the resulting XML from the client (as opposed to from the orbeon pipeline), the client could be directly authentificated against the Rest service by means of the clients certificate, and authorization could still be done based on the client's identity. In the currently supported scenario, I would have to post the document on the server side, without being able to propagate the clients credentials.

Regards
Simon

-----Ursprüngliche Nachricht-----
Von: Alessandro Vernet [mailto:[hidden email]]
Gesendet: Dienstag, 20. Juli 2010 04:56
An: [hidden email]
Betreff: [ops-users] Re: Authorization based on caller identy in external (restful) web service

Simon,

You can setup Orbeon Forms to pass along the JSESSIONID cookie (or any other cookie provided by the browser) when calling a REST or web service, for the service to know what user the request came from. For this you need to tell Orbeon Forms which cookie(s) you want to be passed along. You can learn more about this on:

http://wiki.orbeon.com/forms/doc/developer-guide/configuration-properties/configuration-properties-base#TOC-HTTP-headers-forwarding

Alex

On Monday, July 19, 2010, Gunzenreiner Simon <[hidden email]> wrote: --
Orbeon Forms - Web forms, open-source, for the Enterprise - http://www.orbeon.com/ My Twitter: http://twitter.com/avernet


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws