Orbeon Forms community mailing list

Limiting access to a page using the PFC?

Classic

List

Threaded

7 messages Options

Robin Diederen

Limiting access to a page using the PFC?

Hello all,

We use the redirection function of the Orbeon PFC to redirect users after doing a succesful submission (to display some message regarding the submission).x

This mechanism works just fine, but now we want to limit the reachability of the pages users are redirected to. We want these pages to reachable, if and only if, the user is sent there after doing a submission. Currently it's perfectly possible to access these pages by entering their URL.

Can this be done easily with the PFC?

Best, Robin

--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

Tom Grahame

Re: Limiting access to a page using the PFC?

Hi Robin,

I would use some combination of the action and result elements of the PFC:

http://www.orbeon.com/orbeon/doc/reference-page-flow#action-element

Using an action element you could execute a pipeline that checks to see if the url has been accessed after the submission, something like this (not tested)

<page id="reached-after-submission" path-info="/reached/after/submission/">
<action action="check-to-see-where-the-user-is-from.xpl">
<result when="not-from-submission-xpath2.0" page="some-other-page"/>
</action>
</page>

check-to-see-where-the-user-is-from.xpl might use something like the request processor

http://www.orbeon.com/orbeon/doc/processors-generators-request

to do this.

Hope this is of some use,

Tom

Alessandro Vernet

Re: Limiting access to a page using the PFC?

Administrator

In reply to this post by Robin Diederen

Robin,

I think Tom suggests to use the request generator in the target page
to see if the user indeed comes from the source page you expected (the
Referer header will tell you that). This is reasonable if you just
want to catch users who bookmarked a page by mistake, but you don't
want to rely on this for security as users could fake that header.

Alex

On Wed, Mar 3, 2010 at 1:09 PM, Robin Diederen <[hidden email]> wrote:

> Hello all,
>
>
>
> We use the redirection function of the Orbeon PFC to redirect users after
> doing a succesful submission (to display some message regarding the
> submission).x
>
>
>
> This mechanism works just fine, but now we want to limit the reachability of
> the pages users are redirected to. We want these pages to reachable, if and
> only if, the user is sent there after doing a submission. Currently it's
> perfectly possible to access these pages by entering their URL.
>
>
>
> Can this be done easily with the PFC?
>
>
>
> Best, Robin
>
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing
> list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> OW2 mailing lists service home page: http://www.ow2.org/wws
>
>

--
Orbeon Forms - Web forms, open-source, for the Enterprise -
http://www.orbeon.com/
My Twitter: http://twitter.com/avernet

--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet

Robin Diederen

RE: Re: Limiting access to a page using the PFC?

RE: [ops-users] Re: Limiting access to a page using the PFC?

Hi Alex, Tom,

Thanks for the suggestion. I didn't find the time to implement this just yet, but it think this is exactly what I am after. I won't be using this for security, just for the case mentioned by Alex.

Best, Robin

-----Original message-----
From: Alessandro Vernet <[hidden email]>
Sent: Fri 05-03-2010 04:45
To: [hidden email];
Subject: [ops-users] Re: Limiting access to a page using the PFC?

Robin,

I think Tom suggests to use the request generator in the target page
to see if the user indeed comes from the source page you expected (the
Referer header will tell you that). This is reasonable if you just
want to catch users who bookmarked a page by mistake, but you don't
want to rely on this for security as users could fake that header.

Alex

On Wed, Mar 3, 2010 at 1:09 PM, Robin Diederen <[hidden email]> wrote:

> Hello all,
>
>
>
> We use the redirection function of the Orbeon PFC to redirect users after
> doing a succesful submission (to display some message regarding the
> submission).x
>
>
>
> This mechanism works just fine, but now we want to limit the reachability of
> the pages users are redirected to. We want these pages to reachable, if and
> only if, the user is sent there after doing a submission. Currently it's
> perfectly possible to access these pages by entering their URL.
>
>
>
> Can this be done easily with the PFC?
>
>
>
> Best, Robin
>
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing
> list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> OW2 mailing lists service home page: http://www.ow2.org/wws
>
>

--
Orbeon Forms - Web forms, open-source, for the Enterprise -
http://www.orbeon.com/
My Twitter: http://twitter.com/avernet

Tom Grahame

Re: Limiting access to a page using the PFC?

In reply to this post by Alessandro Vernet

Indeed, the method I propose is not secure.

So, how might this be done with security in mind?

Regards,

Tom

Robin Diederen

RE: Re: Limiting access to a page using the PFC?

RE: [ops-users] Re: Limiting access to a page using the PFC?

Hi Tom,

My guess would be that this depends on how security is implemented in your system.

We for one use pipelines with SOAP and LDAP processors for security (LDAP can be used for (amongst others) doing Active directory lookups).

it's perfectly possible to use these processors in any pipeline and implement / add security. Of course, this is just one of the many ways to implement security :-).

Best, Robin

-----Original message-----
From: Tom Grahame <[hidden email]>
Sent: Fri 05-03-2010 11:15
To: [hidden email];
Subject: [ops-users] Re: Limiting access to a page using the PFC?

Indeed, the method I propose is not secure.

So, how might this be done with security in mind?

Regards,

Tom
--
View this message in context: http://n4.nabble.com/Limiting-access-to-a-page-using-the-PFC-tp1577241p1579417.html
Sent from the Orbeon Forms (ops-users) mailing list archive at Nabble.com.

Tom Grahame

RE: Re: Limiting access to a page using the PFC?

Well just for the sake of interest, I'll carry this on...

Security in our system is handled primarily by Java Struts applications that sit within the same context as Orbeon.
Using parameters passed to them via Orbeon Forms, they interrogate LDAP and Central Authentication services, writing values into the session.
It's then up to Orbeon Pipelines/Processors to check the session for appropriate values and inform the app behaviour/browser.

I understand this is all possible because the Struts apps and Orbeon apps are able to share the same session state, but the details of this are vague to me.

I find this topic interesting because Orbeon does not have a security model of it's own (and rightly so) but in order to use Orbeon in other projects, a collection of best practice solutions for such an important topic is nice to have.

Best wishes,

Tom