Java authentication sample: Access to resource denied.

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Java authentication sample: Access to resource denied.

ncrofts
I am having a problem with the Orbeon Forms java authentication sample.

I enabled the commented out security config section in the standard orbeon web.xml and defined a tomcat_users.xml file in my tomcat 6.0.20 installation. It seems to work ok when you supply
a valid when you either supply an invalid username/password or

However a third case seems to cause a problem, namely if you try and log on using a valid username/password which does not have a role set to
allow access to the /java-authentication/* resources.

Under this circumstance, the container returns a page entitled "HTTP Status 403 - Access to the requested resource has been denied". It then does not seem possible to navigate back to the login URL, you always seem to get redirected to the HTTP Status 403 page instead.

Is there any way of handling this situation in Orbeon Forms such that failure to log on for whatever reason causes the login failure page defined in web.xml to be run?

Thanks,
Neil.
Reply | Threaded
Open this post in threaded view
|

Re: Java authentication sample: Access to resource denied.

ncrofts
I have made some progress on this. I think it is a general container issue, as the same issue occurs when running Orbeon under Jetty.

I think it is possible to explicitly handle the HTTP 403 error by adding an <error-page> element for the <error-code>403</error-code> to the web.xml and then define where this is redirected to.

I'm not certain though if this is the recommended way to deal with this issue or if there is a better method built in to Orbeon Forms. I don't see any <error-code> definitions in the standard Orbeon web.xml, so does this imply that Orbeon Forms is meant to handle such error codes behind the scenes, or are such errors for the application developer to handle explicitly? If OF does handle this I was wondering, is there some additional configuration I need to add to handle the 403 error through the standard Orbeon error handling pipelines?

Thanks,
Neil

ncrofts wrote
I am having a problem with the Orbeon Forms java authentication sample.

I enabled the commented out security config section in the standard orbeon web.xml and defined a tomcat_users.xml file in my tomcat 6.0.20 installation. It seems to work ok when you supply
a valid when you either supply an invalid username/password or

However a third case seems to cause a problem, namely if you try and log on using a valid username/password which does not have a role set to
allow access to the /java-authentication/* resources.

Under this circumstance, the container returns a page entitled "HTTP Status 403 - Access to the requested resource has been denied". It then does not seem possible to navigate back to the login URL, you always seem to get redirected to the HTTP Status 403 page instead.

Is there any way of handling this situation in Orbeon Forms such that failure to log on for whatever reason causes the login failure page defined in web.xml to be run?

Thanks,
Neil.
Reply | Threaded
Open this post in threaded view
|

Re: Re: Java authentication sample: Access to resource denied.

Alessandro Vernet
Administrator
Neil,

On Sep 15, 2009, at 3:27 PM, ncrofts wrote:

> I have made some progress on this. I think it is a general container  
> issue,
> as the same issue occurs when running Orbeon under Jetty.

I am confused about the error you get. Could you attach a screenshot  
of the page you get with the 403 error? If the login is incorrect, the  
container (Tomcat) should redirect you to page defined in form-error-
page, inside your web.xml, which for that example is java-
authentication/login-error.

Alex
--
Orbeon Forms - Web forms, open-source, for the Enterprise
Orbeon's Blog: http://www.orbeon.com/blog/
My Twitter: http://twitter.com/avernet



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: Re: Java authentication sample: Access to resource denied.

ncrofts
Hi Alex,

Please see the screenshot of the 403 status error:

HTTP+Status+403.JPG

The situation occurs when you successfully log in with a valid username/password, but are attempting to access a resource for which that user does not have the appropriate role. For example, an ordinary user may have valid credentials to log into all but the /admin/* resources. In the case that they attempt to navigate initially to an admin page the servlet container login mechanism redirects to the login page, takes your credentials, finds that you are a known user, but then returns HTTP status 403 as you don't have the Admin role to enable access to /admin pages. This then results in the HTTP status 403 page being displayed rather than the form-error-page. Incidentally, the form-error-page does get displayed for other cases such as trying to log on with invalid credentials.

I can explicitly add an error page for the 403 error code to web.xml and handle this situation, but I was wondering if this is something you would ordinarily have expected to have been picked up by the Orbeon Forms framework and redirected via the error pipeline?

Regards,
Neil




Alessandro Vernet wrote
Neil,

On Sep 15, 2009, at 3:27 PM, ncrofts wrote:

> I have made some progress on this. I think it is a general container  
> issue,
> as the same issue occurs when running Orbeon under Jetty.

I am confused about the error you get. Could you attach a screenshot  
of the page you get with the 403 error? If the login is incorrect, the  
container (Tomcat) should redirect you to page defined in form-error-
page, inside your web.xml, which for that example is java-
authentication/login-error.

Alex
--
Orbeon Forms - Web forms, open-source, for the Enterprise
Orbeon's Blog: http://www.orbeon.com/blog/
My Twitter: http://twitter.com/avernet



--
You receive this message as a subscriber of the ops-users@ow2.org mailing list.
To unsubscribe: mailto:ops-users-unsubscribe@ow2.org
For general help: mailto:sympa@ow2.org?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws


-----
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
Orbeon's Blog: http://www.orbeon.com/blog/
Personal Blog: http://avernet.blogspot.com/
Twitter - http://twitter.com/avernet
Reply | Threaded
Open this post in threaded view
|

Re: Re: Re: Java authentication sample: Access to resource denied.

Alessandro Vernet
Administrator
Neil,

On Thu, Sep 17, 2009 at 12:49 AM, ncrofts <[hidden email]> wrote:
> The situation occurs when you successfully log in with a valid
> username/password, but are attempting to access a resource for which that
> user does not have the appropriate role.

Ah, I see. The user is properly authenticated, but doesn't have the
required role to access a given page. Maybe the main thing in this
case is to make sure in your app not to provide that user with a link
to a page they should not be able to access. But if they somehow
manage to reach a page they shouldn't be able to access, you can setup
a custom error page by adding what follows to your web.xml:

<error-page>
    <error-code>403</error-code>
    <location>/403-error</location>
</error-page>

As you suspected, this is a standard web.xml configuration. You can
read more about the <error-page> element in the WebLogic
documentation:

http://download.oracle.com/docs/cd/E12840_01/wls/docs103/webapp/web_xml.html#wp1017571

Alex
--
Orbeon Forms - Web forms, open-source, for the Enterprise
Orbeon's Blog: http://www.orbeon.com/blog/
My Twitter: http://twitter.com/avernet


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: Re: Re: Java authentication sample: Access to resource denied.

ncrofts
Alex,

Yes, that is the issue and thanks for confirming that the correct approach to resolving is to define an explicit 403 handler.

Regards,
Neil

Alessandro Vernet wrote
Neil,

On Thu, Sep 17, 2009 at 12:49 AM, ncrofts <neil.crofts@gmail.com> wrote:
> The situation occurs when you successfully log in with a valid
> username/password, but are attempting to access a resource for which that
> user does not have the appropriate role.

Ah, I see. The user is properly authenticated, but doesn't have the
required role to access a given page. Maybe the main thing in this
case is to make sure in your app not to provide that user with a link
to a page they should not be able to access. But if they somehow
manage to reach a page they shouldn't be able to access, you can setup
a custom error page by adding what follows to your web.xml:

<error-page>
    <error-code>403</error-code>
    <location>/403-error</location>
</error-page>

As you suspected, this is a standard web.xml configuration. You can
read more about the <error-page> element in the WebLogic
documentation:

http://download.oracle.com/docs/cd/E12840_01/wls/docs103/webapp/web_xml.html#wp1017571

Alex
--
Orbeon Forms - Web forms, open-source, for the Enterprise
Orbeon's Blog: http://www.orbeon.com/blog/
My Twitter: http://twitter.com/avernet


--
You receive this message as a subscriber of the ops-users@ow2.org mailing list.
To unsubscribe: mailto:ops-users-unsubscribe@ow2.org
For general help: mailto:sympa@ow2.org?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws


-----
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
Orbeon's Blog: http://www.orbeon.com/blog/
Personal Blog: http://avernet.blogspot.com/
Twitter - http://twitter.com/avernet