Header Authentication Issues

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Header Authentication Issues

Christina Bannon
Hello!

I'm trying to set up authentication by sending headers with user info to orbeon. I am using a servlet class to test if the username and password is a valid combo, and then I am using a filter to set the headers. I have been tinkering with this for some time now and I can't figure out how to get the info to go back to orbeon, signalling that this is a valid username/password combo. My goal is to first validate just one combo, then to work on connecting it to a database. 

Here is a snippet of what I have in the filter for if the authentication is correct: 
* I do call doFilter before any of this executes


 if (validityFlag.contentEquals("valid")) {

                //This is the correct way that I can save the username
httpResponse.addHeader("Orbeon-Username", session.getAttribute("Orbeon-Username").toString());
                httpResponse.addHeader("Orbeon-Roles", session.getAttribute("Orbeon-Roles").toString());
                httpResponse.setStatus(200);
/*
RequestDispatcher dispatcher = httpRequest.getRequestDispatcher("/secretPage.jsp");
dispatcher.include(httpRequest, httpResponse); //forward gave scala errors, so im using include
*/
//httpResponse.sendRedirect("/orbeon/fr/");
}

As you can see, I commented out the RequestDispatcher object because I read in another user's discussion that this was not something I needed to do. 

Also, here is a snipped of what I have in my servlet class:  
I commented out the last line because I found that when it was included, the filter seemed to be skipped entirely. 
            if (username.equals(SECRET_USERNAME)
                    && password.equals(SECRET_PASSWORD)) {  
                
                HttpSession session = request.getSession(true);
                session.setMaxInactiveInterval(5 * 60); // 5 min
                session.setAttribute("validityFlag", "valid");
                
                session.setAttribute("Orbeon-Username", username);
                session.setAttribute("Orbeon-Roles", "WALD-tax-form-runner");
                

                response.addHeader("Orbeon-Username",
                    session.getAttribute("Orbeon-Username").toString());
             response.addHeader("Orbeon-Roles",
                    session.getAttribute("Orbeon-Roles").toString());

            //  response.sendRedirect("/orbeon/fr/");
            }


I apologize if this is too novice of a question for this forum. I would greatly appreciate any suggestions, advice, or critique!\

Thanks
Christina

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/04396d8c-f4b0-4c56-bb9a-b5ebc1a039c1%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Header Authentication Issues

Alessandro  Vernet
Administrator
Hi Christina,

For some context, are you doing this to pass information about the current
user to Form Runner, using the Header-driven method (see 1st link below)?
The default name of the headers are `My-Username-Header` and
`My-Roles-Header`, so you might want to try those (unless you changed them
through properties?). Also, have enabled the header-driven method, by
setting `oxf.fr.authentication.method` to `header` (see 2nd link below)?

https://doc.orbeon.com/form-runner/access-control/users#header-driven-method
https://doc.orbeon.com/form-runner/access-control/users#enable-header-driven-method

‑Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/1562888448022-0.post%40n4.nabble.com.
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|

Re: Header Authentication Issues

Christina Bannon
In reply to this post by Christina Bannon
Alessandro  - 

Thank you so much for your quick response! 
 
Yes I am using this to pass info about the current user to Form Runner.  I believe I have both enabled the header-driven method, and have changed the names through properties. I also have enabled the header driven method. In the properties-local.xml file I also set the authorizer as the servlet class I mentioned earlier.  This is how I went about doing that: 

<property
as="xs:string"
name="oxf.fr.authentication.method"
value="header"/>

<property
as="xs:string"
name="oxf.fr.authentication.header.username"
value="Orbeon-Username"/>
<property
as="xs:string"
name="oxf.fr.authentication.header.group"
value="Orbeon-Group"/>
<property
as="xs:string"
name="oxf.fr.authentication.header.roles"
value="Orbeon-Roles"/>

<property
as="xs:anyURI"
processor-name="oxf:page-flow"
name="authorizer"
value="/LoginValidator"/>


On Thursday, July 11, 2019 at 6:46:15 PM UTC-4, Christina Bannon wrote:
Hello!

I'm trying to set up authentication by sending headers with user info to orbeon. I am using a servlet class to test if the username and password is a valid combo, and then I am using a filter to set the headers. I have been tinkering with this for some time now and I can't figure out how to get the info to go back to orbeon, signalling that this is a valid username/password combo. My goal is to first validate just one combo, then to work on connecting it to a database. 

Here is a snippet of what I have in the filter for if the authentication is correct: 
* I do call doFilter before any of this executes


 if (validityFlag.contentEquals("valid")) {

                //This is the correct way that I can save the username
httpResponse.addHeader("Orbeon-Username", session.getAttribute("Orbeon-Username").toString());
                httpResponse.addHeader("Orbeon-Roles", session.getAttribute("Orbeon-Roles").toString());
                httpResponse.setStatus(200);
/*
RequestDispatcher dispatcher = httpRequest.getRequestDispatcher("/secretPage.jsp");
dispatcher.include(httpRequest, httpResponse); //forward gave scala errors, so im using include
*/
//httpResponse.sendRedirect("/orbeon/fr/");
}

As you can see, I commented out the RequestDispatcher object because I read in another user's discussion that this was not something I needed to do. 

Also, here is a snipped of what I have in my servlet class:  
I commented out the last line because I found that when it was included, the filter seemed to be skipped entirely. 
            if (username.equals(SECRET_USERNAME)
                    && password.equals(SECRET_PASSWORD)) {  
                
                HttpSession session = request.getSession(true);
                session.setMaxInactiveInterval(5 * 60); // 5 min
                session.setAttribute("validityFlag", "valid");
                
                session.setAttribute("Orbeon-Username", username);
                session.setAttribute("Orbeon-Roles", "WALD-tax-form-runner");
                

                response.addHeader("Orbeon-Username",
                    session.getAttribute("Orbeon-Username").toString());
             response.addHeader("Orbeon-Roles",
                    session.getAttribute("Orbeon-Roles").toString());

            //  response.sendRedirect("/orbeon/fr/");
            }


I apologize if this is too novice of a question for this forum. I would greatly appreciate any suggestions, advice, or critique!\

Thanks
Christina

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/da490ee3-7efd-4484-9531-68e5d9191c28%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Header Authentication Issues

Alessandro  Vernet
Administrator
Hi Christina,

Your properties look right. So your filter is getting the username/roles
from the session, under the keys `Orbeon-Username` and `Orbeon-Roles`. I
have a few questions:

1. What code puts that information there? (I'm asking out of curiosity, and
to better understand your use case, as this seems unusual to me.)
2. Have you tried to log the value you extract from the session? Is the the
username/roles indeed in the session under those keys?
3. Are you using 2018.2.x? What version exactly? PE or CE?
4. If the answer to point 2 is "yes", and to 3 a flavor of 2018.2.x, could
you simplify your filter as much as possible, share the code with us, along
with your `properties-local.xml` and `web.xml`, so we can try to reproduce
the issue here?

‑Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/1562951406111-0.post%40n4.nabble.com.
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|

Re: Header Authentication Issues

Christina Bannon
Hi Alessandro!

1. The code that puts brings the info to the LoginValidator class is a simple jsp, here it is!

    <form action="LoginValidator" method="post">
    
        <!-- this hidden variable is used to communicate to LoginValidator.java
                what info being sent to it (validate or return)
            (p 136 "hidden field to store text that you want to send to the server,
                but don't want to display on the html page -->
                
        <input type="hidden" name="action" value="validate">
        
        <label>Username: </label> <br>
        <input type="text" name="username" required> <br>
        
        <label>Password: </label> <br>
        <input type="password" name="password" required> <br>
        
        <br>
        
        <input type="submit" value="Submit" id="submit">
    </form>

2. As far as checking if the values are in the session, I can say that they are! To check if they were saved I had set up the filter to sendRedirect to a different page that lists the response headers, and they show up when I do that
3. I am using 2018.2.3, the PE version
4. I absolutely can. Do you want me to just post it all here or email it to you?

Thank you for all of your help, 
Christina

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/de9adef4-1a7a-4451-9ba3-bbbbca4404fd%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Header Authentication Issues

christinab
In reply to this post by Christina Bannon
Here is a link to the gist:

https://gist.github.com/christinabannon/ddd392204e6e061467f82f34e7f508b0

--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/1563212498533-0.post%40n4.nabble.com.
Reply | Threaded
Open this post in threaded view
|

Re: Header Authentication Issues

Christina Bannon
In reply to this post by Christina Bannon

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/4874edc3-5e16-49f4-894d-f19501cfe549%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Header Authentication Issues

Alessandro  Vernet
Administrator
Hi Christina,

Thank you for the source. I think you've got a things mixed up ;), but I'm
not 100% sure of what to suggest because I don't know how you'd like
authentication to work. From your code, I see you've created your own login
form, which submits the username/password entered by users to your own
servlet (`LoginValidator.java`), which in turn checks if the login is valid,
in this case against static values, I imagine for testing.

In your real scenario, do you indeed want to have your own login page for
Orbeon Forms? How are you going to check the login/password? Maybe you have
those in a database, or LDAP, or Active Directory?

‑Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/1563254712848-0.post%40n4.nabble.com.
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|

Re: Header Authentication Issues

Christina Bannon
Hey Alessandro!

In my real scenario, I am not going to be using a login page, so thank you for pointing out where I could simplify my testing! 

From what I understand we are going to be using a database. I know now that I was supposed to be adding headers to the request, as opposed to the response. Now I have a filter ('RequestHeaderFilter.java') that does not use a login page, but does (I think) successfully wrap the request and add the Orbeon-Username, Orbeon-Roles, and Orbeon-Group headers. 

Since I'm no longer doing any logging in, and instead am just adding the info right to the headers, I have made a new gist with all of the updates, here is the link : https://gist.github.com/christinabannon/fd556a570e062dc4b08056eec2a1f179

Thank you again for all of your help!
Christina

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/ac47b6fe-3419-4598-b1e8-d9685eace478%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Header Authentication Issues

Alessandro  Vernet
Administrator
In reply to this post by Alessandro Vernet
Hi Christina,

How are you going to know who the user is, if you don't have a login page?
Do you maybe have a some kind of token in a cookie that you can use to call
a service that tells you who the user us? If you have users in a database
and want a login page, I'd recommend that:

- At the Orbeon Forms level, you use container-based authentication.
- At the Tomcat level, you use the `JDBCRealm`.
https://tomcat.apache.org/tomcat-9.0-doc/realm-howto.html#JDBCRealm

But this might not be what you're looking for?

Also, as a side note, the authorizer is used to authenticate the access to
services, so I don't think that what you're doing here should have anything
to do with the authorizer.

‑Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
Sent from: http://discuss.orbeon.com/

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/orbeon/1563326718215-0.post%40n4.nabble.com.
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet