Orbeon xforms with OpenAM submissions problem
Locked
 
|
Hello!
I have encountered a problem running xforms with Glassfish and OpenAM. I wonder if someone can advice. I am using Orbeon XForms Engine to render simple enough xforms inside Tolven application (I believe application details does not matter), GlassFish 3.0.1 is application server, OpenAM 9.5.1 RC2 used for authentication. Form rendering itself works fine, requests to form pages and to Orbeon engine go through AmAgentFilter, additional policies added to OpenAM to make all work. But for xform submission requests, which should get/post xform XML content from/to my servlet, I get OpenAM login page as a result (direct requests to servlet work fine, problem only if xform submission initiates request). I wonder is it possible, that for xform submission calls, Orbeon itself may work like a client application, requesting a servlet resource, but it can not be authenticated, probably due to inability to receive cookies? And is same session used for xform JSP page and for submission called from this page? I am not sure it is a problem, but I can see the few strange messages in log (just before engine crush due to login page content received instead of form XML) (see below) I understand, this may be too specific question, but if someone can, please advice. If someone can provide a link to any related resource, it also greatly appreciated. Thanks, Andrey server.log: ... [#|2011-07-26T13:42:54.023+0300|INFO|glassfish3.0.1|javax.enterprise.system.std.com.sun.enterprise.v3.services.impl|_ThreadID=40;_ThreadName=Thread-1;|13:42:54,023 INFO [ProcessorService] /xforms-renderer - Received request |#] [#|2011-07-26T13:42:54.205+0300|INFO|glassfish3.0.1|javax.enterprise.system.std.com.sun.enterprise.v3.services.impl|_ThreadID=40;_ThreadName=Thread-1;|13:42:54,205 INFO [OrbeonSessionListener] Session Listener - Session created. |#] [#|2011-07-26T13:42:54.385+0300|INFO|glassfish3.0.1|javax.enterprise.system.std.com.sun.enterprise.v3.services.impl|_ThreadID=40;_ThreadName=Thread-1;|13:42:54,382 WARN [HttpMethodBase] Cookie rejected: "$Version=0; AMAuthCookie=AQIC5wM2LY4SfcweMekEY6kRY3TsSh4mxxk9eNSf0YBVJB0.*AAJTSQACMDE.*; $Path=/; $Domain=.tolven2.softwarium.net". Illegal domain attribute ".tolven2.softwarium.net". Domain of origin: "tolven2.softwarium.net" |#] [#|2011-07-26T13:42:54.439+0300|INFO|glassfish3.0.1|javax.enterprise.system.std.com.sun.enterprise.v3.services.impl|_ThreadID=40;_ThreadName=Thread-1;|13:42:54,438 WARN [HttpMethodBase] Cookie rejected: "$Version=0; amlbcookie=01; $Path=/; $Domain=.tolven2.softwarium.net". Illegal domain attribute ".tolven2.softwarium.net". Domain of origin: "tolven2.softwarium.net" |#] [#|2011-07-26T13:42:54.522+0300|INFO|glassfish3.0.1|javax.enterprise.system.std.com.sun.enterprise.v3.services.impl|_ThreadID=40;_ThreadName=Thread-1;|13:42:54,522 ERROR [XFormsServer] xforms-submit-error - response {status code: "200"} |#] [#|2011-07-26T13:42:54.550+0300|INFO|glassfish3.0.1|javax.enterprise.system.std.com.sun.enterprise.v3.services.impl|_ThreadID=40;_ThreadName=Thread-1;|13:42:54,550 ERROR [XFormsServer] xforms-submit-error - response headers {cache-control: "private", content-type: "text/html;charset=UTF-8", expires: "0", x-dsameversion: "Snapshot Build 9.5.1_RC2(2010-September-16 12:02)", set-cookie: "JSESSIONID=15CD78C0160F5EA3233C70BA64C0332D; Path=/openam; Secure; HttpOnly", transfer-encoding: "chunked", server: "Apache-Coyote/1.1", date: "Tue, 26 Jul 2011 10:42:54 GMT", pragma: "no-cache", am_client_type: "genericHTML"} |#] [#|2011-07-26T13:42:54.594+0300|INFO|glassfish3.0.1|javax.enterprise.system.std.com.sun.enterprise.v3.services.impl|_ThreadID=40;_ThreadName=Thread-1;|13:42:54,594 ERROR [XFormsServer] xforms-submit-error - setting body string {body: <html> <head> <title>OpenAM (Login)</title> .... |
Re: Orbeon xforms with OpenAM submissions problem
|
|
Hi Andrey, XForms Submission supports http authentication in the xpl pipeline: and with xxforms attributes: http://wiki.orbeon.com/forms/doc/developer-guide/xforms-advanced-submissions#TOC-HTTP-authentication
Not sure how to handle the cookie (or any of the response headers). Regards, Hank On Tue, Jul 26, 2011 at 5:29 AM, Andrey <[hidden email]> wrote: Hello! -- Hank Ratzesberger XMLWerks.com -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
Re: Re: Orbeon xforms with OpenAM submissions problem
|
Administrator
|
Andrey,
This is part that has caused us a bit of trouble. XForms submissions try to forward cookies. See the latest code here under "2009 ALGORITHM": https://github.com/orbeon/orbeon-forms/blob/master/src/java/org/orbeon/oxf/util/Connection.java#L179 In general, this tries to forward JSESSIONID, and if not available, we try to make up one. This is not 100% reliable. However, it has worked most of the time in the past. Usually, if the service call is to the same webapp, and if the JSESSIONID is properly forwarded, then the authentication system will let that go through. Otherwise, submissions act as clients, in that they keep state (by default in the session), and keep track of sessions with services. -Erik On Wed, Jul 27, 2011 at 7:51 PM, Hank Ratzesberger <[hidden email]> wrote: > Hi Andrey, > XForms Submission supports http authentication in the xpl pipeline: > http://wiki.orbeon.com/forms/doc/developer-guide/processors-xforms-submission#TOC-Handling-authentication > and with xxforms attributes: > http://wiki.orbeon.com/forms/doc/developer-guide/xforms-advanced-submissions#TOC-HTTP-authentication > Not sure how to handle the cookie (or any of the response headers). > Regards, > Hank > > On Tue, Jul 26, 2011 at 5:29 AM, Andrey <[hidden email]> wrote: >> >> Hello! >> >> I have encountered a problem running xforms with Glassfish and OpenAM. I >> wonder if someone can advice. >> >> I am using Orbeon XForms Engine to render simple enough xforms inside >> Tolven >> application (I believe application details does not matter), GlassFish >> 3.0.1 >> is application server, OpenAM 9.5.1 RC2 used for authentication. >> Form rendering itself works fine, requests to form pages and to Orbeon >> engine go through AmAgentFilter, additional policies added to OpenAM to >> make >> all work. >> But for xform submission requests, which should get/post xform XML content >> from/to my servlet, I get OpenAM login page as a result (direct requests >> to >> servlet work fine, problem only if xform submission initiates request). >> >> I wonder is it possible, that for xform submission calls, Orbeon itself >> may >> work like a client application, requesting a servlet resource, but it can >> not be authenticated, probably due to inability to receive cookies? And is >> same session used for xform JSP page and for submission called from this >> page? >> >> I am not sure it is a problem, but I can see the few strange messages in >> log >> (just before engine crush due to login page content received instead of >> form >> XML) (see below) >> >> I understand, this may be too specific question, but if someone can, >> please >> advice. >> If someone can provide a link to any related resource, it also greatly >> appreciated. >> >> Thanks, >> Andrey >> >> >> server.log: >> >> ... >> >> [#|2011-07-26T13:42:54.023+0300|INFO|glassfish3.0.1|javax.enterprise.system.std.com.sun.enterprise.v3.services.impl|_ThreadID=40;_ThreadName=Thread-1;|13:42:54,023 >> INFO [ProcessorService] /xforms-renderer - Received request >> |#] >> >> [#|2011-07-26T13:42:54.205+0300|INFO|glassfish3.0.1|javax.enterprise.system.std.com.sun.enterprise.v3.services.impl|_ThreadID=40;_ThreadName=Thread-1;|13:42:54,205 >> INFO [OrbeonSessionListener] Session Listener - Session created. >> |#] >> >> [#|2011-07-26T13:42:54.385+0300|INFO|glassfish3.0.1|javax.enterprise.system.std.com.sun.enterprise.v3.services.impl|_ThreadID=40;_ThreadName=Thread-1;|13:42:54,382 >> WARN [HttpMethodBase] Cookie rejected: "$Version=0; >> >> AMAuthCookie=AQIC5wM2LY4SfcweMekEY6kRY3TsSh4mxxk9eNSf0YBVJB0.*AAJTSQACMDE.*; >> $Path=/; $Domain=.tolven2.softwarium.net". Illegal domain attribute >> ".tolven2.softwarium.net". Domain of origin: "tolven2.softwarium.net" >> |#] >> >> [#|2011-07-26T13:42:54.439+0300|INFO|glassfish3.0.1|javax.enterprise.system.std.com.sun.enterprise.v3.services.impl|_ThreadID=40;_ThreadName=Thread-1;|13:42:54,438 >> WARN [HttpMethodBase] Cookie rejected: "$Version=0; amlbcookie=01; >> $Path=/; >> $Domain=.tolven2.softwarium.net". Illegal domain attribute >> ".tolven2.softwarium.net". Domain of origin: "tolven2.softwarium.net" >> |#] >> >> [#|2011-07-26T13:42:54.522+0300|INFO|glassfish3.0.1|javax.enterprise.system.std.com.sun.enterprise.v3.services.impl|_ThreadID=40;_ThreadName=Thread-1;|13:42:54,522 >> ERROR [XFormsServer] xforms-submit-error - response {status code: "200"} >> |#] >> >> [#|2011-07-26T13:42:54.550+0300|INFO|glassfish3.0.1|javax.enterprise.system.std.com.sun.enterprise.v3.services.impl|_ThreadID=40;_ThreadName=Thread-1;|13:42:54,550 >> ERROR [XFormsServer] xforms-submit-error - response headers >> {cache-control: >> "private", content-type: "text/html;charset=UTF-8", expires: "0", >> x-dsameversion: "Snapshot Build 9.5.1_RC2(2010-September-16 12:02)", >> set-cookie: "JSESSIONID=15CD78C0160F5EA3233C70BA64C0332D; Path=/openam; >> Secure; HttpOnly", transfer-encoding: "chunked", server: >> "Apache-Coyote/1.1", date: "Tue, 26 Jul 2011 10:42:54 GMT", pragma: >> "no-cache", am_client_type: "genericHTML"} >> |#] >> >> [#|2011-07-26T13:42:54.594+0300|INFO|glassfish3.0.1|javax.enterprise.system.std.com.sun.enterprise.v3.services.impl|_ThreadID=40;_ThreadName=Thread-1;|13:42:54,594 >> ERROR [XFormsServer] xforms-submit-error - setting body string {body: >> <html> >> <head> >> <title>OpenAM (Login)</title> >> .... >> >> >> -- >> View this message in context: >> http://orbeon-forms-ops-users.24843.n4.nabble.com/Orbeon-xforms-with-OpenAM-submissions-problem-tp3695518p3695518.html >> Sent from the Orbeon Forms (ops-users) mailing list archive at Nabble.com. >> >> >> -- >> You receive this message as a subscriber of the [hidden email] mailing >> list. >> To unsubscribe: mailto:[hidden email] >> For general help: mailto:[hidden email]?subject=help >> OW2 mailing lists service home page: http://www.ow2.org/wws >> > > > > -- > Hank Ratzesberger > XMLWerks.com > > > -- > You receive this message as a subscriber of the [hidden email] mailing > list. > To unsubscribe: mailto:[hidden email] > For general help: mailto:[hidden email]?subject=help > OW2 mailing lists service home page: http://www.ow2.org/wws > > -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
|
|
Hello!
I have found a way to solve my problem with a help of OpenAM community and your hints. Thanks. OpenAM uses special cookie "iPlanetDirectoryPro" to track SSO authentication token (not sure about term) , but for submission requests Orbeon forwards just JSESSIONID and JSESSIONIDSSO cookies, so OpenAM filter does not allow it to pass. I changed Orbeon Connection class to forward this cookie also, then put changed class to jar/war, and it works. Now I wonder is it can cause some kind of security hole if I allow additional cookie forwarding here? (I have feeling it may be possible to reconfigure OpenAM to use another cookie, like JSESSIONIDSSO, but not sure) (another issue I encountered, if I build Orbeon from sources by ant script (3.8.0_20110514) it does not work for me at all... I got 404 error page instead of my form JSPs (same for 3.9.0_???) But it is possible I am just doing something wrong here and not a critical for me now) Thanks again. Andrey |
Re: Re: Re: Orbeon xforms with OpenAM submissions problem
|
Administrator
|
Andrey,
Excellent. We have just implemented a new property to configure this: https://github.com/orbeon/orbeon-forms/commit/c89342ba686677f642ccb5114d7ee494279e2dfe This might help in the future if you upgrade to a newer build, or you could also backport that patch. -Erik On Fri, Jul 29, 2011 at 7:10 AM, Andrey <[hidden email]> wrote: > Hello! > I have found a way to solve my problem with a help of OpenAM community and > your hints. Thanks. > > OpenAM uses special cookie "iPlanetDirectoryPro" to track SSO authentication > token (not sure about term) , but for submission requests Orbeon forwards > just JSESSIONID and JSESSIONIDSSO cookies, so OpenAM filter does not allow > it to pass. I changed Orbeon Connection class to forward this cookie also, > then put changed class to jar/war, and it works. > > Now I wonder is it can cause some kind of security hole if I allow > additional cookie forwarding here? (I have feeling it may be possible to > reconfigure OpenAM to use another cookie, like JSESSIONIDSSO, but not sure) > > (another issue I encountered, if I build Orbeon from sources by ant script > (3.8.0_20110514) it does not work for me at all... I got 404 error page > instead of my form JSPs (same for 3.9.0_???) But it is possible I am just > doing something wrong here and not a critical for me now) > > Thanks again. > Andrey > > > -- > View this message in context: http://orbeon-forms-ops-users.24843.n4.nabble.com/Orbeon-xforms-with-OpenAM-submissions-problem-tp3695518p3704183.html > Sent from the Orbeon Forms (ops-users) mailing list archive at Nabble.com. > > > -- > You receive this message as a subscriber of the [hidden email] mailing list. > To unsubscribe: mailto:[hidden email] > For general help: mailto:[hidden email]?subject=help > OW2 mailing lists service home page: http://www.ow2.org/wws > > -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
Re: Re: Re: Orbeon xforms with OpenAM submissions problem
|
Administrator
|
Andrey,
On the question of security: you do have to be careful with header/cookie forwarding. When those are enabled, you should probably not connect to untrusted services, as they will receive those headers. On the build, I am not sure: just running ant should work. -Erik On Tue, Aug 2, 2011 at 9:44 PM, Erik Bruchez <[hidden email]> wrote: > Andrey, > > Excellent. > > We have just implemented a new property to configure this: > > https://github.com/orbeon/orbeon-forms/commit/c89342ba686677f642ccb5114d7ee494279e2dfe > > This might help in the future if you upgrade to a newer build, or you > could also backport that patch. > > -Erik > > On Fri, Jul 29, 2011 at 7:10 AM, Andrey <[hidden email]> wrote: >> Hello! >> I have found a way to solve my problem with a help of OpenAM community and >> your hints. Thanks. >> >> OpenAM uses special cookie "iPlanetDirectoryPro" to track SSO authentication >> token (not sure about term) , but for submission requests Orbeon forwards >> just JSESSIONID and JSESSIONIDSSO cookies, so OpenAM filter does not allow >> it to pass. I changed Orbeon Connection class to forward this cookie also, >> then put changed class to jar/war, and it works. >> >> Now I wonder is it can cause some kind of security hole if I allow >> additional cookie forwarding here? (I have feeling it may be possible to >> reconfigure OpenAM to use another cookie, like JSESSIONIDSSO, but not sure) >> >> (another issue I encountered, if I build Orbeon from sources by ant script >> (3.8.0_20110514) it does not work for me at all... I got 404 error page >> instead of my form JSPs (same for 3.9.0_???) But it is possible I am just >> doing something wrong here and not a critical for me now) >> >> Thanks again. >> Andrey >> >> >> -- >> View this message in context: http://orbeon-forms-ops-users.24843.n4.nabble.com/Orbeon-xforms-with-OpenAM-submissions-problem-tp3695518p3704183.html >> Sent from the Orbeon Forms (ops-users) mailing list archive at Nabble.com. >> >> >> -- >> You receive this message as a subscriber of the [hidden email] mailing list. >> To unsubscribe: mailto:[hidden email] >> For general help: mailto:[hidden email]?subject=help >> OW2 mailing lists service home page: http://www.ow2.org/wws >> >> > -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
«
Return to Orbeon Forms community mailing list
|
1 view|%1 views
| Free forum by Nabble | Edit this page |