Cookie JSESSIONID not forwarded to custom authorization service

Hi,

I configured my websphere application server to share the same session between orbeon and my web app.
Now I have the problem that the session cookie JSESSIONID is NOT forwarded to my custom authorization service.
For testing purpose the service always returns with success. Then I can see that the cookie is also not forwarded to my custom persistence layer.
But the cookie is forwared to custom REST services called with a <xf:submission> on the "xforms-model-construct-done" event.

Any Ideas?

properties.local config:
    <property as="xs:anyURI" processor-name="oxf:page-flow" name="authorizer" value="http://localhost/XGFWeb/service/auth" />
    <property as="xs:string" processor-name="oxf:page-flow" name="page-public-methods" value="" />

Martin

Sorry, but my initial post was not correct.
I configured the application server to share the session COOKIE between orbeon and my web app (cookie path="/"). The session itself is not shared.

Hi Martin,

Does this mean that with this WebSphere setup, the session is kept "in sync" in both apps, and provides a sort of simple single-signon between the two apps? Is the JSESSIONID cookie still used by WebSphere in that case, or are they using another cookie, mayne in addition to JSESSIONID?

And when referring to the your "custom authorization service", you're talking about an auth service to allow services to be called from your own application (per the example linked below)?

http://wiki.orbeon.com/forms/doc/developer-guide/page-flow-controller/authorization#TOC-A-simple-authorization-service

Alex

Hi Alex,

I will try to explain it in more detail.

First of all I have to ears running on the same websphere server. One ear contains the imported orbeon.war file and the other ear contains my webapp.
Theses two apps have different url prefixes:
- http://localhost/OrbeonWeb/
- http://localhost/MyWeb/

Now my goal is that orbeon forms can only be accessed by authenticated users. In our company the authentication of users is handled over another app. These app provides an authenticated user a list of links to all apps the user has permission.
So let us now assume an authenticated user accesses my webapp. Then a new session will be created and until then a valid session cookie JSESSIONID exists.

In Orbeon by default pages are public accessible. But I want that orbeon forms can only be accessed if the user is authenticated and a session already exists. Therefore I added following properties to my properties.local:
    <property as="xs:anyURI" processor-name="oxf:page-flow" name="authorizer" value="http://localhost/MyWeb/service/auth" />
    <property as="xs:string" processor-name="oxf:page-flow" name="page-public-methods" value="" />
Due to the fact that in orbeon by default the session cookie "JSESSIONID" is forwarded, I assumed that "my custom authorization service" under http://localhost/MyWeb/service/auth will receive this cookie. But the cookie is not forwared!
The cookie forwarding only works if I call "my custom authorization service" through a standard xforms submission.

    <xf:submission id="unauthorized-submission" resource="/unauthorized" method="get" replace="all" serialization="none"/>
    <xf:submission id="auth-submission" method="get" replace="none" serialization="none" resource="http://localhost/MyWeb/service/auth/{xxf:instance('fr-parameters-instance')/app/string()}/{xxf:instance('fr-parameters-instance')/form/string()}">
            <xf:action ev:event="xforms-submit-error" if="event('response-status-code') = 401">
                    <xf:send submission="unauthorized-submission"/>
            </xf:action>                                       
    </xf:submission>

The configuration of the session/cookie management of the websphere server is as follows:



Martin

Hi Martin,

I see, but you're trying to use the authorizer for something it wasn't designed to do. The authorizer is designed for you to allow your own code to call Orbeon Forms APIs (services), while normally those services can only be called by Orbeon Forms itself. It isn't designed to prevent access to Orbeon Forms pages by end users. So I'd recommend you don't use the authorizer for this.

Instead, why not do this in a filter you setup in the Orbeon Forms' web.xml to run before Orbeon Forms' own servlet? In your filter you can check that the user is allowed to access the app. (I'm not sure based on what and how you do that check, but I assume you know how to do that.) And as a benefit, that code would be completely independent from Orbeon Forms. Would that work in your case?

Alex

Hi Alex,

Thank you for that clarification. A filter in the orbeon web.xml is a good solution. It works fine!

Martin

Hi Martin,

Excellent, I am glad that works, and thanks for the update.

Alex