Orbeon and Apache auth - need help

> Hi folks.
> Could anybody help me how to secure Form Builder from unauthorised access?
> I tried to do it using Apache front-end as described
> at http://wiki.orbeon.com/forms/doc/user-guide/form-runner-user-guide#TOC-Form-Runner-access-and-authenticati
> I have in httpd conf:
>     <LocationMatch /orbeon-3.8.0.post.201012130847-CE/fr/orbeon/builder>
>         AuthType Basic
>         AuthName "Orbeon Forms"
>         AuthUserFile /var/www/htpasswd
>         Require valid-user
>     </LocationMatch>
> (Complete conf is below if necessary).
> It allows anonymous user to access published forms and requires auth for
> Form Builder access - great.
> But after I enter correct login/password I see empty summary of Form Builder
> (no form definitions). In orbeon.log I see the following:
> 2010-12-13 19:56:55,077 INFO  ProcessorService  -
> /fr/service/exist/search/orbeon/builder - Received request
> 2010-12-13 19:56:55,330 ERROR XFormsServer  - xforms-submit-error - response
> {status code: "401"}
> 2010-12-13 19:56:55,331 ERROR XFormsServer  - xforms-submit-error - response
> headers {content-type: "text/html;charset=utf-8", connection: "close",
> www-authenticate: "Basic realm="exist"", content-length: "954", date: "Mon,
> 13 Dec 2010 16:56:55 GMT"}
> ...(Complete log is below.)...
> It looks like accessing eXist requires some kind of credentials now. But
> why? LocationMatch should not match.
> Could anybody please tell me what I did wrong?
>
> Best regards,
> Alexey
> P.S. I use version from git now but I encounter the same problem on 3.8.0
> CE/PE.
> =================================
> Complete entry in httpd.conf
> =================================
> <VirtualHost *:80>
>     ServerAdmin [hidden email]
>     ServerName www.example.com
>     ErrorLog logs/proxy-error_log
>     CustomLog logs/proxy-access_log common
>     ProxyRequests Off
>     ProxyPreserveHost On
>     ProxyPass /orbeon-3.8.0.post.201012130847-CE
> ajp://localhost:9090/orbeon-3.8.0.post.201012130847-CE
>     ProxyPassReverse /orbeon-3.8.0.post.201012130847-CE
> ajp://localhost:9090/orbeon-3.8.0.post.201012130847-CE
>     <LocationMatch /orbeon-3.8.0.post.201012130847-CE/fr/orbeon/builder>
>         AuthType Basic
>         AuthName "Orbeon Forms"
>         AuthUserFile /var/www/htpasswd
>         Require valid-user
>     </LocationMatch>
> </VirtualHost>
> =================================
>
> =================================
> Complete error in orbeon.log
> =================================
> 2010-12-13 19:56:55,077 INFO  ProcessorService  -
> /fr/service/exist/search/orbeon/builder - Received request
> 2010-12-13 19:56:55,330 ERROR XFormsServer  - xforms-submit-error - response
> {status code: "401"}
> 2010-12-13 19:56:55,331 ERROR XFormsServer  - xforms-submit-error - response
> headers {content-type: "text/html;charset=utf-8", connection: "close",
> www-authenticate: "Basic realm="exist"", content-length: "954", date: "Mon,
> 13 Dec 2010 16:56:55 GMT"}
> 2010-12-13 19:56:55,335 ERROR XFormsServer  - xforms-submit-error - setting
> body string {body: "
> <html><head><title>Apache Tomcat/5.5.27 - Error report</title><style><!--H1
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
> H2
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
> H3
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
> BODY
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
> P
> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
> {color : black;}A.name {color : black;}HR {color : #525D76;}--></style>
> </head><body><h1>HTTP Status 401 - </h1><HR size="1"
> noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b>
> <u></u></p><p><b>description</b> <u>This request requires HTTP
> authentication ().</u></p><HR size="1" noshade="noshade"><h3>Apache
> Tomcat/5.5.27</h3></body></html>"}
> 2010-12-13 19:56:55,351 ERROR XFormsServer  - xforms-submit-error - setting
> throwable {throwable:
> "org.orbeon.oxf.xforms.submission.XFormsSubmissionException:  (processing
> submission response): xforms:submission for submission id:
> fr-default-submission, error code received when submitting instance: 401
> null, line -1, column -1: xforms:submission for submission id:
> fr-default-submission, error code received when submitting instance: 401
> at
> org.orbeon.oxf.xforms.submission.XFormsModelSubmission.getReplacer(XFormsModelSubmission.java:659)
> at
> org.orbeon.oxf.xforms.submission.RegularSubmission$1.call(RegularSubmission.java:104)
> at
> org.orbeon.oxf.xforms.submission.RegularSubmission$1.call(RegularSubmission.java:76)
> at
> org.orbeon.oxf.xforms.submission.BaseSubmission.submitCallable(BaseSubmission.java:218)
> at
> org.orbeon.oxf.xforms.submission.RegularSubmission.connect(RegularSubmission.java:127)
> at
> org.orbeon.oxf.xforms.submission.XFormsModelSubmission.doSubmit(XFormsModelSubmission.java:444)
> =================================
>
> --
> You receive this message as a subscriber of the [hidden email] mailing
> list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> OW2 mailing lists service home page: http://www.ow2.org/wws
>
>

> Hello Erik.
> Many thanks for the advice. It made my config more structured. :-) However,
> it was not the cause of the problem. As I just understood, the issue in my
> setup was the following.
> I have Apache and Tomcat with Orbeon deployed. I'd like Apache to handle all
> security-related procedures. So I have users in Apache and path-based
> security policy in Apache and no security configuration in Tomcat at all. In
> this setup after successfull login in Apache user can not access any
> resources (see my previous letter in this thread).
> The cause of the problem was auth header forwarded by Apache to Tomcat. In
> this scenario Tomcat act like this:
> - Extract user and password from auth header
> - Compare them with internal database
> - Not found (of course not found, in my setup Tomcat knows nothing about
> users at all! )
> - Send 401 responce
> I fixed it by adding in httpd.conf:
>      RequestHeader unset Authorization
> In this case Apache does not forward auth header and everything works.
>
> Best regards,
> Alexey Vasyukov
>
> 2010/12/18 Erik Bruchez <[hidden email]>
>>
>> Alexey,
>>
>> Try setting in properties-local.xml the
>> oxf.url-rewriting.service.base-uri to point to your app server, i.e.
>> "http://localhost:8080/orbeon" assuming that's where the Orbeon Forms
>> webapp resides.
>>
>>
>> http://wiki.orbeon.com/forms/doc/developer-guide/configuration-properties/configuration-properties-base#TOC-oxf.url-rewriting.service.base-uri
>>
>> This will make Form Runner/Form Builder services call Orbeon directly
>> instead of going through thee Apache front-end.
>>
>> -Erik
>>
>> On Mon, Dec 13, 2010 at 9:26 AM, Alexey Vasyukov <[hidden email]>
>> wrote:
>> > Hi folks.
>> > Could anybody help me how to secure Form Builder from unauthorised
>> > access?
>> > I tried to do it using Apache front-end as described
>> >
>> > at http://wiki.orbeon.com/forms/doc/user-guide/form-runner-user-guide#TOC-Form-Runner-access-and-authenticati
>> > I have in httpd conf:
>> >     <LocationMatch /orbeon-3.8.0.post.201012130847-CE/fr/orbeon/builder>
>> >         AuthType Basic
>> >         AuthName "Orbeon Forms"
>> >         AuthUserFile /var/www/htpasswd
>> >         Require valid-user
>> >     </LocationMatch>
>> > (Complete conf is below if necessary).
>> > It allows anonymous user to access published forms and requires auth for
>> > Form Builder access - great.
>> > But after I enter correct login/password I see empty summary of Form
>> > Builder
>> > (no form definitions). In orbeon.log I see the following:
>> > 2010-12-13 19:56:55,077 INFO  ProcessorService  -
>> > /fr/service/exist/search/orbeon/builder - Received request
>> > 2010-12-13 19:56:55,330 ERROR XFormsServer  - xforms-submit-error -
>> > response
>> > {status code: "401"}
>> > 2010-12-13 19:56:55,331 ERROR XFormsServer  - xforms-submit-error -
>> > response
>> > headers {content-type: "text/html;charset=utf-8", connection: "close",
>> > www-authenticate: "Basic realm="exist"", content-length: "954", date:
>> > "Mon,
>> > 13 Dec 2010 16:56:55 GMT"}
>> > ...(Complete log is below.)...
>> > It looks like accessing eXist requires some kind of credentials now. But
>> > why? LocationMatch should not match.
>> > Could anybody please tell me what I did wrong?
>> >
>> > Best regards,
>> > Alexey
>> > P.S. I use version from git now but I encounter the same problem on
>> > 3.8.0
>> > CE/PE.
>> > =================================
>> > Complete entry in httpd.conf
>> > =================================
>> > <VirtualHost *:80>
>> >     ServerAdmin [hidden email]
>> >     ServerName www.example.com
>> >     ErrorLog logs/proxy-error_log
>> >     CustomLog logs/proxy-access_log common
>> >     ProxyRequests Off
>> >     ProxyPreserveHost On
>> >     ProxyPass /orbeon-3.8.0.post.201012130847-CE
>> > ajp://localhost:9090/orbeon-3.8.0.post.201012130847-CE
>> >     ProxyPassReverse /orbeon-3.8.0.post.201012130847-CE
>> > ajp://localhost:9090/orbeon-3.8.0.post.201012130847-CE
>> >     <LocationMatch /orbeon-3.8.0.post.201012130847-CE/fr/orbeon/builder>
>> >         AuthType Basic
>> >         AuthName "Orbeon Forms"
>> >         AuthUserFile /var/www/htpasswd
>> >         Require valid-user
>> >     </LocationMatch>
>> > </VirtualHost>
>> > =================================
>> >
>> > =================================
>> > Complete error in orbeon.log
>> > =================================
>> > 2010-12-13 19:56:55,077 INFO  ProcessorService  -
>> > /fr/service/exist/search/orbeon/builder - Received request
>> > 2010-12-13 19:56:55,330 ERROR XFormsServer  - xforms-submit-error -
>> > response
>> > {status code: "401"}
>> > 2010-12-13 19:56:55,331 ERROR XFormsServer  - xforms-submit-error -
>> > response
>> > headers {content-type: "text/html;charset=utf-8", connection: "close",
>> > www-authenticate: "Basic realm="exist"", content-length: "954", date:
>> > "Mon,
>> > 13 Dec 2010 16:56:55 GMT"}
>> > 2010-12-13 19:56:55,335 ERROR XFormsServer  - xforms-submit-error -
>> > setting
>> > body string {body: "
>> > <html><head><title>Apache Tomcat/5.5.27 - Error
>> > report</title><style><!--H1
>> >
>> > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
>> > H2
>> >
>> > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
>> > H3
>> >
>> > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
>> > BODY
>> >
>> > {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
>> >
>> > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
>> > P
>> >
>> > {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
>> > {color : black;}A.name {color : black;}HR {color : #525D76;}--></style>
>> > </head><body><h1>HTTP Status 401 - </h1><HR size="1"
>> > noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b>
>> > <u></u></p><p><b>description</b> <u>This request requires HTTP
>> > authentication ().</u></p><HR size="1" noshade="noshade"><h3>Apache
>> > Tomcat/5.5.27</h3></body></html>"}
>> > 2010-12-13 19:56:55,351 ERROR XFormsServer  - xforms-submit-error -
>> > setting
>> > throwable {throwable:
>> > "org.orbeon.oxf.xforms.submission.XFormsSubmissionException:
>> >  (processing
>> > submission response): xforms:submission for submission id:
>> > fr-default-submission, error code received when submitting instance: 401
>> > null, line -1, column -1: xforms:submission for submission id:
>> > fr-default-submission, error code received when submitting instance: 401
>> > at
>> >
>> > org.orbeon.oxf.xforms.submission.XFormsModelSubmission.getReplacer(XFormsModelSubmission.java:659)
>> > at
>> >
>> > org.orbeon.oxf.xforms.submission.RegularSubmission$1.call(RegularSubmission.java:104)
>> > at
>> >
>> > org.orbeon.oxf.xforms.submission.RegularSubmission$1.call(RegularSubmission.java:76)
>> > at
>> >
>> > org.orbeon.oxf.xforms.submission.BaseSubmission.submitCallable(BaseSubmission.java:218)
>> > at
>> >
>> > org.orbeon.oxf.xforms.submission.RegularSubmission.connect(RegularSubmission.java:127)
>> > at
>> >
>> > org.orbeon.oxf.xforms.submission.XFormsModelSubmission.doSubmit(XFormsModelSubmission.java:444)
>> > =================================
>> >
>> > --
>> > You receive this message as a subscriber of the [hidden email]
>> > mailing
>> > list.
>> > To unsubscribe: mailto:[hidden email]
>> > For general help: mailto:[hidden email]?subject=help
>> > OW2 mailing lists service home page: http://www.ow2.org/wws
>> >
>> >
>>
>>
>> --
>> You receive this message as a subscriber of the [hidden email] mailing
>> list.
>> To unsubscribe: mailto:[hidden email]
>> For general help: mailto:[hidden email]?subject=help
>> OW2 mailing lists service home page: http://www.ow2.org/wws
>>
>
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing
> list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> OW2 mailing lists service home page: http://www.ow2.org/wws
>
>