Issue using Authorization Service with Persistence REST layer
Locked
 
|
I've got a pretty advanced setup.
In my WEB-INF/resources/config/properties-local.xml, I've got the following configuration: <property as="xs:string" processor-name="oxf:page-flow" name="page-public-methods" value=""/> <property as="xs:string" processor-name="oxf:page-flow" name="service-public-methods" value=""/> <property as="xs:anyURI" processor-name="oxf:page-flow" name="authorizer" value="http://localhost:8080/someweapapp/api/orbeon/auth/"/> <property as="xs:string" name="oxf.fr.persistence.provider.*.*.*" value="test"/> <property as="xs:anyURI" name="oxf.fr.persistence.test.uri" value="http://localhost:8080/someweapapp/api/orbeon/"/> And I've created the appropriate REST services for the authorization service and the persistence layer: Persistence REST Integration points, which saves to a MSSQL database: -- Save the form template (HTTP Methods GET, PUT) /api/orbeon/crud/orbeon/builder/data/{formId}/data.xml -- Save the form template attachment (HTTP Methods GET, PUT) /api/orbeon/orbeon/builder/data/{formId}/{attachmentId}.bin -- Save/Get the PUBLISHED template (HTTP Methods GET, PUT) /api/orbeon/{AppName}/{FormName}/form/form.xhtml -- Save/Get the PUBLISHED template DATA (HTTP Methods GET, PUT) /api/orbeon/{AppName}/{FormName}/data/{FormDataId}/data.xml -- Save/Get the PUBLISHED template attachment (HTTP Methods GET, PUT) /api/orbeon/{AppName}/{FormName}/form/{attachmentId}.bin Authorization Example: /fr/service/persistence/crud/{AppName}/{FormName}/form/form.xhtml Originally I had both Orbeon and my webapp on the same machine, and had to change the context.xml to use <Context sessionCookiePath="/" useHttpOnly="false">, so that the session id was used in both. But now I have a new requirement where the Orbeon server needs to be on a separate machine altogether. My problem is, when I move to another server (or another tomcat instance), Orbeon punches out to my REST service for authorization with no JSESSIONID and a tokenId that I pass as a query parameter, validates against that tokenID, and insures that user has access to that template/form. The user is then saved in a session. However, after the authorization is complete and returns a 200 http status code, orbeon punches out again to get the required data via the persistence REST api, with a DIFFERENT JSESSIONID, and my persistence REST service denies it, because it can't find a session/user to validate permissions. Is there a way to configure Orbeon to use a consistent session (JSESSIONID) between orbeon and my webapp? Or possibly pass through a query parameter in the persistence REST call to my webapp? References: http://wiki.orbeon.com/forms/doc/developer-guide/page-flow-controller/authorization http://wiki.orbeon.com/forms/doc/developer-guide/form-runner/persistence-api Thanks for any help! -- You received this message because you are subscribed to the Google Groups "Orbeon Forms" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. |
|
|
OK, had to create truly vile hack to get around this. I implemented a servlet on the orbeon side, and changed my properties-local.xml file to point to it. The REST url for the persistence layer is passed in as a parameter, as well as a tokenID to indicate the user, and both are captured in a custom servlet filter, and then used in the persistence servlet(since as soon as it hits the servlet, all paramters have been wiped by orbeon).
First I have a method, that does a simple HttpURLConnection REST call login, gets back the session ID (which should have the user authenticated from the passed tokenID on the server side now). This is what hurts, quick and dirty, but it works: URL url_ = new URL(url); connection = (HttpURLConnection) url_.openConnection(); String httpMethod=req.getMethod(); Enumeration<String> names=req.getHeaderNames(); while(names.hasMoreElements()) { String header = names.nextElement(); if (header.toUpperCase().contains("COOKIE")){continue;} String headerValue = req.getHeader(header); connection.setRequestProperty(header, headerValue); } connection.setRequestMethod(httpMethod); connection.setRequestProperty("Cookie", sessionId); connection.setConnectTimeout(5000000); if (httpMethod.equals("PUT")) { connection.setDoOutput(true); ServletInputStream in =req.getInputStream(); OutputStream out=connection.getOutputStream(); StringBuffer buff = new StringBuffer(); int dataChar = in.read(); while(dataChar != -1){ out.write(dataChar); buff.append((char)dataChar); dataChar = in.read(); } log.debug(buff.toString()); in.close(); out.flush(); out.close(); int responseCode = connection.getResponseCode(); } else if (httpMethod.equals("GET")){ // Now send response connection.setDoInput(true); InputStream response = connection.getInputStream(); ServletOutputStream outputResponse=resp.getOutputStream(); int dataChar = response.read(); while(dataChar != -1){ outputResponse.write(dataChar); dataChar = response.read(); } response.close(); outputResponse.flush(); outputResponse.close(); } if (connection!=null) {connection.disconnect();} -- You received this message because you are subscribed to the Google Groups "Orbeon Forms" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. |
Re: Issue using Authorization Service with Persistence REST layer
|
Administrator
|
Sorry for not looking at your question earlier, but I am glad you found a workaround.
Now the call to the authorizer and the call to the persistence layer are done in two separate places. However in either case the HTTP client state (which includes cookies) should be preserved. I am not sure why the SESSIONID cookie is different. We would have to look more deeply into this to figure it out. -Erik |
«
Return to Orbeon Forms community mailing list
|
1 view|%1 views
| Free forum by Nabble | Edit this page |