Orbeon Forms community mailing list

Issue with getting orbeon-auth to work

Classic

List

Threaded

7 messages Options

alex sharaz-3

Issue with getting orbeon-auth to work

Hi,

I'm trying to set up BASIC auth using orbeon-auth and am having a few problems.

I'm running orbeon 4.7 with the matching orbeon-auth under tomcat6. I've set up a virtual host (xforms.york.ac.uk) and am calling my app using https://xforms.york.ac.uk/orbeon/console-reg/ below are the appropriate config bits and log outputs. If someone could point me in the right direction I'd be grateful.

If I try running https://xforms.york.ac.uk/orbeon-auth/console-reg/ then I get a login prompt and the logs say I've successfully authenticted with a valid role. If I try using auth via my xforms app, then I get an Unauthorised page appearing.

Config and logs

Tomcat6

<Host name="xforms.york.ac.uk" appBase ="xformapps"
        unpackWARs="false" autoDeploy="true"
        xmlValidation="false" xmlNamespaceAware="false">

 <Context path="/orbeon" docBase="orbeon" reloadable="false" override="true" crossContext="true">
           <Valve className="org.apache.catalina.authenticator.BasicAuthenticator"
                               changeSessionIdOnAuthentication="false"/>
           <Parameter override="false" 
              name="oxf.resources.priority.0" 
              value="org.orbeon.oxf.resources.FilesystemResourceManagerFactory"/>
           <Parameter override="false" 
              name="oxf.resources.priority.0.oxf.resources.filesystem.sandbox-directory" 
              value="/usr/share/tomcat6/orbeon/resources"/>

           <Resource name="jdbc/freeradius" auth="Container" type="javax.sql.DataSource"
              initialSize="3" maxActive="10" maxIdle="20" maxWait="30000"
              driverClassName="com.mysql.jdbc.Driver"
              poolPreparedStatements="true"
              validationQuery="select 1 from dual"
              testOnBorrow="true"
              username="xxxxx password="yyyy" 
              useInformationSchema="true"
              url="jdbc:mysql://a.b.c.d:3306/freeradius?noAccessToProcedureBodies=true"/>
       </Context>
       <Context path="/orbeon-auth" docBase="orbeon-auth" reloadable="false" override="false" crossContext="true">
       </Context>

orbeon properties-local.xml

 <property as="xs:string" name="oxf.http.ssl.hostname-verifier" value="allow-all"/>
    <property as="xs:anyURI" name="oxf.url-rewriting.service.base-uri" value="http://xforms.york.ac.uk/orbeon"/>
    <property as="xs:anyURI" name="oxf.fr.persistence.exist.uri" value="http://xforms.york.ac.uk/orbeon/fr/service/exist"/>
    <property as="xs:anyURI" name="oxf.fr.persistence.exist.exist-uri" value="<a href="htts://xforms.york.ac.uk/orbeon/exist/rest/db/orbeon/fr">htts://xforms.york.ac.uk/orbeon/exist/rest/db/orbeon/fr"/>
    <property as="xs:anyURI" processor-name="oxf:page-flow" name="authorizer" value="/orbeon-auth"/>
    <property as="xs:string" processor-name="oxf:page-flow" name="page-public-methods" value="HEAD"/>

orbeon-auth/WEB-INF/web.xml

<security-constraint>

<web-resource-collection>

<web-resource-name>Console Reg</web-resource-name>

<url-pattern>/console-reg/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>orbeon-service</role-name>

</auth-constraint>

</security-constraint>

<security-constraint>

<web-resource-collection>

<web-resource-name>Everything else</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<!-- Make sure there is an empty auth-constraint to require authentication.

But since there are no constraints specified, authentication will always

fail. -->

<auth-constraint/>

</security-constraint>

When I try authenticating from my app, tomcat6 gives me the following , the important bit being "Failed authenticate() test"

5-Oct-2014 16:22:44 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Security checking request GET /orbeon/console-reg/
15-Oct-2014 16:22:44 org.apache.catalina.realm.RealmBase findSecurityConstraints FINE:   No applicable constraints defined
15-Oct-2014 16:22:44 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE:  Not subject to any constraint
15-Oct-2014 16:22:46 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Security checking request GET /orbeon-auth/console-reg/
15-Oct-2014 16:22:46 org.apache.catalina.realm.RealmBase findSecurityConstraints FINE:   Checking constraint 'SecurityConstraint[Console Reg]' against GET /console-reg/ --> true
15-Oct-2014 16:22:46 org.apache.catalina.realm.RealmBase findSecurityConstraints FINE:   Checking constraint 'SecurityConstraint[Everything else]' against GET /console-reg/ --> true
15-Oct-2014 16:22:46 org.apache.catalina.realm.RealmBase findSecurityConstraints FINE:   Checking constraint 'SecurityConstraint[Console Reg]' against GET /console-reg/ --> true
15-Oct-2014 16:22:46 org.apache.catalina.realm.RealmBase findSecurityConstraints FINE:   Checking constraint 'SecurityConstraint[Everything else]' against GET /console-reg/ --> true
15-Oct-2014 16:22:46 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE:  Calling hasUserDataPermission()
15-Oct-2014 16:22:46 org.apache.catalina.realm.RealmBase hasUserDataPermission FINE:   User data constraint has no restrictions
**15-Oct-2014 16:22:46 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE:  Calling authenticate()
 15-Oct-2014 16:22:46 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE:  Failed authenticate() test**
15-Oct-2014 16:22:46 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Security checking request GET /orbeon/fr/style/bootstrap/css/bootstrap.css

and orbeon.log shows

2014-10-15 16:29:58,184 INFO  ProcessorService  - /console-reg/ - Received request
2014-10-15 16:30:00,317 INFO  PageFlowControllerProcessor  - unauthorized {controller: "oxf:/app /console-reg/page-flow.xml", method: "GET", path: "/console-reg/", status-code: "403"}
2014-10-15 16:30:00,324 INFO  PageFlowControllerProcessor  - unauthorized {controller: "oxf:/page-flow.xml", method: "GET", path: "/console-reg/", status-code: "403"}

When I try connecting to https://xforms.york.ac.uk/orbeon-auth/console-reg/ I get the following and can authenticate successfully

7-Oct-2014 10:12:37 org.apache.catalina.authenticator.AuthenticatorBase invoke

FINE: Security checking request GET /orbeon-auth/console-reg/

17-Oct-2014 10:12:37 org.apache.catalina.realm.RealmBase findSecurityConstraints

FINE: Checking constraint 'SecurityConstraint[Console Reg]' against GET /console-reg/ --> true

17-Oct-2014 10:12:37 org.apache.catalina.realm.RealmBase findSecurityConstraints

FINE: Checking constraint 'SecurityConstraint[Everything else]' against GET /console-reg/ --> true

17-Oct-2014 10:12:37 org.apache.catalina.realm.RealmBase findSecurityConstraints

FINE: Checking constraint 'SecurityConstraint[Console Reg]' against GET /console-reg/ --> true

17-Oct-2014 10:12:37 org.apache.catalina.realm.RealmBase findSecurityConstraints

FINE: Checking constraint 'SecurityConstraint[Everything else]' against GET /console-reg/ --> true

17-Oct-2014 10:12:37 org.apache.catalina.authenticator.AuthenticatorBase invoke

FINE: Calling hasUserDataPermission()

17-Oct-2014 10:12:37 org.apache.catalina.realm.RealmBase hasUserDataPermission

FINE: User data constraint has no restrictions

17-Oct-2014 10:12:37 org.apache.catalina.authenticator.AuthenticatorBase invoke

FINE: Calling authenticate()

17-Oct-2014 10:12:37 org.apache.catalina.realm.MemoryRealm authenticate

FINE: Username orbeonadmin successfully authenticated

17-Oct-2014 10:12:37 org.apache.catalina.authenticator.AuthenticatorBase register

FINE: Authenticated 'orbeonadmin' with type 'BASIC'

17-Oct-2014 10:12:37 org.apache.catalina.authenticator.AuthenticatorBase invoke

FINE: Calling accessControl()

17-Oct-2014 10:12:37 org.apache.catalina.realm.RealmBase hasResourcePermission

FINE: Checking roles GenericPrincipal[orbeonadmin(orbeon-admin,orbeon-service,)]

17-Oct-2014 10:12:37 org.apache.catalina.realm.RealmBase hasRole

FINE: Username orbeonadmin has role orbeon-service

17-Oct-2014 10:12:37 org.apache.catalina.realm.RealmBase hasResourcePermission

FINE: Role found: orbeon-service

17-Oct-2014 10:12:37 org.apache.catalina.authenticator.AuthenticatorBase invoke

FINE: Successfully passed all security constraints

Rgds

Alex

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

alex sharaz-3

Re: Issue with getting orbeon-auth to work

Been a while since I sent this out, any chance of a response from someone?

Rgds

On 17 Oct 2014, at 10:16, alex sharaz wrote:

Hi,
I'm trying to set up BASIC auth using orbeon-auth and am having a few problems.

I'm running orbeon 4.7 with the matching orbeon-auth under tomcat6. I've set up a virtual host (xforms.york.ac.uk) and am calling my app using https://xforms.york.ac.uk/orbeon/console-reg/ below are the appropriate config bits and log outputs. If someone could point me in the right direction I'd be grateful.

If I try running https://xforms.york.ac.uk/orbeon-auth/console-reg/ then I get a login prompt and the logs say I've successfully authenticted with a valid role. If I try using auth via my xforms app, then I get an Unauthorised page appearing.

Config and logs

Tomcat6
<Host name="xforms.york.ac.uk" appBase ="xformapps"
        unpackWARs="false" autoDeploy="true"
        xmlValidation="false" xmlNamespaceAware="false">

 <Context path="/orbeon" docBase="orbeon" reloadable="false" override="true" crossContext="true">
           <Valve className="org.apache.catalina.authenticator.BasicAuthenticator"
                               changeSessionIdOnAuthentication="false"/>
           <Parameter override="false" 
              name="oxf.resources.priority.0" 
              value="org.orbeon.oxf.resources.FilesystemResourceManagerFactory"/>
           <Parameter override="false" 
              name="oxf.resources.priority.0.oxf.resources.filesystem.sandbox-directory" 
              value="/usr/share/tomcat6/orbeon/resources"/>

           <Resource name="jdbc/freeradius" auth="Container" type="javax.sql.DataSource"
              initialSize="3" maxActive="10" maxIdle="20" maxWait="30000"
              driverClassName="com.mysql.jdbc.Driver"
              poolPreparedStatements="true"
              validationQuery="select 1 from dual"
              testOnBorrow="true"
              username="xxxxx password="yyyy" 
              useInformationSchema="true"
              url="jdbc:mysql://a.b.c.d:3306/freeradius?noAccessToProcedureBodies=true"/>
       </Context>
       <Context path="/orbeon-auth" docBase="orbeon-auth" reloadable="false" override="false" crossContext="true">
       </Context>
orbeon properties-local.xml
 <property as="xs:string" name="oxf.http.ssl.hostname-verifier" value="allow-all"/>
    <property as="xs:anyURI" name="oxf.url-rewriting.service.base-uri" value="http://xforms.york.ac.uk/orbeon"/>
    <property as="xs:anyURI" name="oxf.fr.persistence.exist.uri" value="http://xforms.york.ac.uk/orbeon/fr/service/exist"/>
    <property as="xs:anyURI" name="oxf.fr.persistence.exist.exist-uri" value="<a href="htts://xforms.york.ac.uk/orbeon/exist/rest/db/orbeon/fr">htts://xforms.york.ac.uk/orbeon/exist/rest/db/orbeon/fr"/>
    <property as="xs:anyURI" processor-name="oxf:page-flow" name="authorizer" value="/orbeon-auth"/>
    <property as="xs:string" processor-name="oxf:page-flow" name="page-public-methods" value="HEAD"/>
orbeon-auth/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Console Reg</web-resource-name>
<url-pattern>/console-reg/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>orbeon-service</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything else</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>

<auth-constraint/>
</security-constraint>

When I try authenticating from my app, tomcat6 gives me the following , the important bit being "Failed authenticate() test"
5-Oct-2014 16:22:44 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Security checking request GET /orbeon/console-reg/
15-Oct-2014 16:22:44 org.apache.catalina.realm.RealmBase findSecurityConstraints FINE:   No applicable constraints defined
15-Oct-2014 16:22:44 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE:  Not subject to any constraint
15-Oct-2014 16:22:46 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Security checking request GET /orbeon-auth/console-reg/
15-Oct-2014 16:22:46 org.apache.catalina.realm.RealmBase findSecurityConstraints FINE:   Checking constraint 'SecurityConstraint[Console Reg]' against GET /console-reg/ --> true
15-Oct-2014 16:22:46 org.apache.catalina.realm.RealmBase findSecurityConstraints FINE:   Checking constraint 'SecurityConstraint[Everything else]' against GET /console-reg/ --> true
15-Oct-2014 16:22:46 org.apache.catalina.realm.RealmBase findSecurityConstraints FINE:   Checking constraint 'SecurityConstraint[Console Reg]' against GET /console-reg/ --> true
15-Oct-2014 16:22:46 org.apache.catalina.realm.RealmBase findSecurityConstraints FINE:   Checking constraint 'SecurityConstraint[Everything else]' against GET /console-reg/ --> true
15-Oct-2014 16:22:46 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE:  Calling hasUserDataPermission()
15-Oct-2014 16:22:46 org.apache.catalina.realm.RealmBase hasUserDataPermission FINE:   User data constraint has no restrictions
**15-Oct-2014 16:22:46 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE:  Calling authenticate()
 15-Oct-2014 16:22:46 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE:  Failed authenticate() test**
15-Oct-2014 16:22:46 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Security checking request GET /orbeon/fr/style/bootstrap/css/bootstrap.css
and orbeon.log shows
2014-10-15 16:29:58,184 INFO  ProcessorService  - /console-reg/ - Received request
2014-10-15 16:30:00,317 INFO  PageFlowControllerProcessor  - unauthorized {controller: "oxf:/app /console-reg/page-flow.xml", method: "GET", path: "/console-reg/", status-code: "403"}
2014-10-15 16:30:00,324 INFO  PageFlowControllerProcessor  - unauthorized {controller: "oxf:/page-flow.xml", method: "GET", path: "/console-reg/", status-code: "403"}
When I try connecting to https://xforms.york.ac.uk/orbeon-auth/console-reg/ I get the following and can authenticate successfully
:-

7-Oct-2014 10:12:37 org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Security checking request GET /orbeon-auth/console-reg/
17-Oct-2014 10:12:37 org.apache.catalina.realm.RealmBase findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Console Reg]' against GET /console-reg/ --> true
17-Oct-2014 10:12:37 org.apache.catalina.realm.RealmBase findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Everything else]' against GET /console-reg/ --> true
17-Oct-2014 10:12:37 org.apache.catalina.realm.RealmBase findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Console Reg]' against GET /console-reg/ --> true
17-Oct-2014 10:12:37 org.apache.catalina.realm.RealmBase findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Everything else]' against GET /console-reg/ --> true
17-Oct-2014 10:12:37 org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling hasUserDataPermission()
17-Oct-2014 10:12:37 org.apache.catalina.realm.RealmBase hasUserDataPermission
FINE: User data constraint has no restrictions
17-Oct-2014 10:12:37 org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling authenticate()
17-Oct-2014 10:12:37 org.apache.catalina.realm.MemoryRealm authenticate
FINE: Username orbeonadmin successfully authenticated
17-Oct-2014 10:12:37 org.apache.catalina.authenticator.AuthenticatorBase register
FINE: Authenticated 'orbeonadmin' with type 'BASIC'
17-Oct-2014 10:12:37 org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling accessControl()
17-Oct-2014 10:12:37 org.apache.catalina.realm.RealmBase hasResourcePermission
FINE: Checking roles GenericPrincipal[orbeonadmin(orbeon-admin,orbeon-service,)]
17-Oct-2014 10:12:37 org.apache.catalina.realm.RealmBase hasRole
FINE: Username orbeonadmin has role orbeon-service
17-Oct-2014 10:12:37 org.apache.catalina.realm.RealmBase hasResourcePermission
FINE: Role found: orbeon-service
17-Oct-2014 10:12:37 org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Successfully passed all security constraints
Rgds
Alex
--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

Alessandro Vernet

Re: Issue with getting orbeon-auth to work

Administrator

Hi Alex,

You're saying:

If I try running https://xforms.york.ac.uk/orbeon-auth/console-reg/ then I get a login prompt and the logs say I've successfully authenticted with a valid role. If I try using auth via my xforms app, then I get an Unauthorised page appearing.

I am not following: after you log into the BASIC auth dialog, can you see the page fine, any page? What do you mean by "auth via my xforms app"? Is this something different than BASIC auth?

Alex

--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet

alex sharaz-3

Re: Issue with getting orbeon-auth to work

On 20 Oct 2014, at 18:33, Alessandro Vernet wrote:

Hi Alex,

You're saying:

/If I try running https://xforms.york.ac.uk/orbeon-auth/console-reg/ then I
get a login prompt and the logs say I've successfully authenticted with a
valid role. If I try using auth via my xforms app, then I get an
Unauthorised page appearing./

I am not following: after you log into the BASIC auth dialog, can you see
the page fine, any page? What do you mean by "auth via my xforms app"? Is
this something different than BASIC auth?

oops sorry, my fault. When I try opening https://xforms.york.ac.uk/orbeon/console-reg/ I get to an unauthorized page. Its sujpposed to be doing BASIC atuh but I don't even get prompted for a userid and password dialogue box.

The tomcat6 logs ahow

15-Oct-2014 16:22:46 org.apache.catalina.realm.RealmBase findSecurityConstraints FINE:   Checking constraint 'SecurityConstraint[Everything else]' against GET /console-reg/ --> true
15-Oct-2014 16:22:46 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE:  Calling hasUserDataPermission()
15-Oct-2014 16:22:46 org.apache.catalina.realm.RealmBase hasUserDataPermission FINE:   User data constraint has no restrictions
**15-Oct-2014 16:22:46 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE:  Calling authenticate()
 15-Oct-2014 16:22:46 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE:  Failed authenticate() test**
15-Oct-2014 16:22:46 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Security checking request GET /orbeon/fr/style/bootstrap/css/bootstrap.css

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
View this message in context: http://discuss.orbeon.com/Issue-with-getting-orbeon-auth-to-work-tp4659136p4659148.html
Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

Alessandro Vernet

Re: Issue with getting orbeon-auth to work

Administrator

Hi Alex,

Okay, got it. Now it is unclear to me whether authentication is failing at the Tomcat level or Orbeon Forms level:

- If at the Tomcat level: maybe the browser is sending an incorrect Authorization header? If it does, it's possible you get an error from the server and don't get ask for the password again. Do you get the prompt again after restarting your browser? If you are, after logging in, are you still getting the authentication error?

- If at the Orbeon Form level: do you have any XForms code in your app doing authentication? Would you get the same problem if using your web.xml on the vanilla Orbeon Forms?

Alex

--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet

alex sharaz-3

Re: Issue with getting orbeon-auth to work

In reply to this post by Alessandro Vernet

Not sure if my reply to this appeared on the list.

Didn't phrase it properly.

When I try running https://xforms.york.ac.uk/orbeon/console-reg/ I don't get a login dialogue box prompt, I just get redirected to an orbeon unauthorised page.

Looking in the tomcat6 logs I see

15-Oct-2014 16:22:46 org.apache.catalina.realm.RealmBase hasUserDataPermission FINE:   User data constraint has no restrictions
**15-Oct-2014 16:22:46 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE:  Calling authenticate()
 15-Oct-2014 16:22:46 org.apache.catalina.authenticator.AuthenticatorBase invoke FINE:  Failed authenticate() test**

Where can I get the source of orbeon-auth ?

Rgds

On 20 Oct 2014, at 18:33, Alessandro Vernet wrote:

Hi Alex,

You're saying:

/If I try running https://xforms.york.ac.uk/orbeon-auth/console-reg/ then I
get a login prompt and the logs say I've successfully authenticted with a
valid role. If I try using auth via my xforms app, then I get an
Unauthorised page appearing./

I am not following: after you log into the BASIC auth dialog, can you see
the page fine, any page? What do you mean by "auth via my xforms app"? Is
this something different than BASIC auth?

Alex

-----
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
--
View this message in context: http://discuss.orbeon.com/Issue-with-getting-orbeon-auth-to-work-tp4659136p4659148.html
Sent from the Orbeon Forms community mailing list mailing list archive at Nabble.com.

--
You received this message because you are subscribed to the Google Groups "Orbeon Forms" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].

Alessandro Vernet

Re: Issue with getting orbeon-auth to work

Administrator

Hi Alex,

This even after restarting the browser? Tomcat should ask you to enter a password if you access https://xforms.york.ac.uk/orbeon/console-reg/ and in your web.xml have:

<security-constraint>
<web-resource-collection>
<web-resource-name>Console Reg</web-resource-name>
<url-pattern>/console-reg/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>orbeon-service</role-name>
</auth-constraint>
</security-constraint>

BTW, as I understand it, this isn't related to Orbeon Forms: it is Tomcat that should ask the user to authenticate based on what you have in the web.xml, or am I missing something?

Alex

--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet