Orbeon Integration with form based Authentication App

Hi,

In case of Orbeon separate war integration, what is the recommended way to integrate Orbeon with an application that uses form based authentication?

For example, When an user is successfully authenticated from app1, app1 will request Orbeon to create a new session which is valid until app1's session is valid?

I am using Orbeon v4.9.

Thanks,

Hi Karthi,

There are many possible ways to doing this, but the simplest, if you have your own web app in which you want to "insert" a form created with Form Builder is to use the server-side embedding API. This way users will only access your app, and you don't have to worry about authentication across web apps. You can find more about it on:

https://github.com/orbeon/orbeon-forms/wiki/Form-Runner-~-APIs-~-Server-side-Embedding

Is this something that could work for you? If not, could you elaborate on why this wouldn't work in your case?

Alex

Hi Alessandro,

Thank you for your reply.

I have integrated our application using server side embedding approach as you have mentioned.
The problem that I face now is sharing the user session data between Orbeon and our application.

I tried using SSO configuration (Tomcat) but this did not work as our application is using Spring MVC and the session created by Spring is not shared with Orbeon (also we do not want to share entire session).

So I am looking for Orbeon feature where, when a user (Spring) session is created in our application, I would like to create an equivalent user session in Orbeon, and destroy Orbeon session when our application user session is destroyed.

I am not sure if Orbeon session listener configuration can be user for this scenario.

For now, I am going with request token approach as below,

1) APP: For any Orbeon form request, generate a new request token, set this in Orbeon initial form data (basically binding to a model variable).
2) Orbeon: Upon any xform submission,  include initial request token to APP callback service (as this is already bound to a model value)
3) APP: Validate request token (possibly maintain the required session data for the request token) and process the request.

Here the Orbeon session is not bound to user session but to 'APP' application and there is a possible 'session expiration synchronisation between Orbeon and APP application' issue.

Also there is application overhead to generate and manage request token and duplicate user data for Orbeon requests.

If there is a way that this can be simplified using Orbeon feature it will be helpful --

Please let me know if you need more information and if I have overlooked any of the obvious Orbeon feature that fits in above requirement.

Thanks,
Karthi

Hi Karthi,

Excellent, I'm glad that integration worked for you. I imagine that you need to "share the session" because the form is then doing a submission to your app, and when handling the submission you want to know who the user is?

If that is the case, your solution with a token works, and we've recommended this in the past. But I agree, this is probably more complex than it should, so for now I've create the following RFE. You'll let me know if you have any feedback about it.

https://github.com/orbeon/orbeon-forms/issues/2404

Alex

Hi Alessandro,

The proposed change looks good.
Is that a fair assumption that the JESSIONID cookie in API parameter is just an example?
If not I think it would be good if we allow the new API parameter to be not restricted to session id, rather leave it to APP to manage the parameter value, this will make integration more simple for an APP that requires a few parameters to be shared.

Thanks,

Hi Karthi,

Yes, certainly. I added a comment to the issue to make that clear.

Alex

Thank you.

Hi,

I wanted to integrate Orbeon in an application that uses Spring Security for access control. Preferably with Orbeon more or less out of the box to minimize upgrade problems. I ran smack into the session problems that Karthi reported. They could be solved by fiddling with Tomcat, but I'd rather also use Tomcat out of the box, for the above reason (and others).

I ended up creating an Orbeon proxy. It runs as a separate servlet that has access to the application database. The proxy runs on a publicly accessible port while Orbeon does not. Links from the application to Orbeon are replaced by a random uuid. The translation back to the real link is written as database record. The proxy looks up the record and translates back to the real link. Only links beginning with "/fr/" are treated this way. Others (actually the vast majority) pass straight through. Users never see the real links in their browsers.

Additionally, a translation database record has a timestamp and a reference counter. The proxy increments the counter when it does the translation. The translation is valid only a minute or so, and only if the counter is zero. So anyone can copy and paste the URL into some other browser, but they would just get "Orbeon Forms - Page Not Found".

The net effect is that the application enforces access control over Form Builder and Form Runner, with just one more trick. When a user wants to create a new form, or wants to fill out an existing form, we must prepare this for them behind the scenes in order to connect the new object to its owner, a Spring Security Principal. Then we may throw the new object to Form Builder or Form Runner. The Orbeon tools are completely unaware of the application's access control.

Convoluted? Definitely. Works? Yes it does. Performance? No serious measurements, but seems reasonable.

I mention this as an interesting experiment rather than a solution to be copied. Perhaps someone out there has a brilliant idea that I missed.