Java authentication sample: Access to resource denied.
Locked
 
|
I am having a problem with the Orbeon Forms java authentication sample.
I enabled the commented out security config section in the standard orbeon web.xml and defined a tomcat_users.xml file in my tomcat 6.0.20 installation. It seems to work ok when you supply a valid when you either supply an invalid username/password or However a third case seems to cause a problem, namely if you try and log on using a valid username/password which does not have a role set to allow access to the /java-authentication/* resources. Under this circumstance, the container returns a page entitled "HTTP Status 403 - Access to the requested resource has been denied". It then does not seem possible to navigate back to the login URL, you always seem to get redirected to the HTTP Status 403 page instead. Is there any way of handling this situation in Orbeon Forms such that failure to log on for whatever reason causes the login failure page defined in web.xml to be run? Thanks, Neil. |
|
|
I have made some progress on this. I think it is a general container issue, as the same issue occurs when running Orbeon under Jetty.
I think it is possible to explicitly handle the HTTP 403 error by adding an <error-page> element for the <error-code>403</error-code> to the web.xml and then define where this is redirected to. I'm not certain though if this is the recommended way to deal with this issue or if there is a better method built in to Orbeon Forms. I don't see any <error-code> definitions in the standard Orbeon web.xml, so does this imply that Orbeon Forms is meant to handle such error codes behind the scenes, or are such errors for the application developer to handle explicitly? If OF does handle this I was wondering, is there some additional configuration I need to add to handle the 403 error through the standard Orbeon error handling pipelines? Thanks, Neil
|
Re: Re: Java authentication sample: Access to resource denied.
|
Administrator
|
Neil,
On Sep 15, 2009, at 3:27 PM, ncrofts wrote: > I have made some progress on this. I think it is a general container > issue, > as the same issue occurs when running Orbeon under Jetty. I am confused about the error you get. Could you attach a screenshot of the page you get with the 403 error? If the login is incorrect, the container (Tomcat) should redirect you to page defined in form-error- page, inside your web.xml, which for that example is java- authentication/login-error. Alex -- Orbeon Forms - Web forms, open-source, for the Enterprise Orbeon's Blog: http://www.orbeon.com/blog/ My Twitter: http://twitter.com/avernet -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
|
|
Hi Alex,
Please see the screenshot of the 403 status error: HTTP+Status+403.JPG The situation occurs when you successfully log in with a valid username/password, but are attempting to access a resource for which that user does not have the appropriate role. For example, an ordinary user may have valid credentials to log into all but the /admin/* resources. In the case that they attempt to navigate initially to an admin page the servlet container login mechanism redirects to the login page, takes your credentials, finds that you are a known user, but then returns HTTP status 403 as you don't have the Admin role to enable access to /admin pages. This then results in the HTTP status 403 page being displayed rather than the form-error-page. Incidentally, the form-error-page does get displayed for other cases such as trying to log on with invalid credentials. I can explicitly add an error page for the 403 error code to web.xml and handle this situation, but I was wondering if this is something you would ordinarily have expected to have been picked up by the Orbeon Forms framework and redirected via the error pipeline? Regards, Neil
|
Re: Re: Re: Java authentication sample: Access to resource denied.
|
Administrator
|
Neil,
On Thu, Sep 17, 2009 at 12:49 AM, ncrofts <[hidden email]> wrote: > The situation occurs when you successfully log in with a valid > username/password, but are attempting to access a resource for which that > user does not have the appropriate role. Ah, I see. The user is properly authenticated, but doesn't have the required role to access a given page. Maybe the main thing in this case is to make sure in your app not to provide that user with a link to a page they should not be able to access. But if they somehow manage to reach a page they shouldn't be able to access, you can setup a custom error page by adding what follows to your web.xml: <error-page> <error-code>403</error-code> <location>/403-error</location> </error-page> As you suspected, this is a standard web.xml configuration. You can read more about the <error-page> element in the WebLogic documentation: http://download.oracle.com/docs/cd/E12840_01/wls/docs103/webapp/web_xml.html#wp1017571 Alex -- Orbeon Forms - Web forms, open-source, for the Enterprise Orbeon's Blog: http://www.orbeon.com/blog/ My Twitter: http://twitter.com/avernet -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
|
|
Alex,
Yes, that is the issue and thanks for confirming that the correct approach to resolving is to define an explicit 403 handler. Regards, Neil
|
«
Return to Orbeon Forms community mailing list
|
1 view|%1 views
| Free forum by Nabble | Edit this page |