Orbeon Forms community mailing list

Problem when using doc() load secured URL

Classic

List

Threaded

3 messages Options

cheney zhao

Problem when using doc() load secured URL

Hi, Experts,
When I have a <security-constraint>myapp/lookup/*</security-constraint> config in my web.xml, the doc() function can't work anymore with the following message:
----------------------------------

Error Message
Failed to load document http://localhost:7001/myapp/lookup/BooleanCode

Show details

Hide details

Call Stack
Resource URL Line Column Description XML Element
oxf:/dti/core/widgets/lookup.xsl 38 N/A evaluating XPath expression
expression → doc($full-path)/codes/code
pushing XForms control binding <xforms:itemset nodeset="doc($full-path)/codes/code" id="xforms-element-84">...</xforms:itemset>

----------------------------------

When login successfully, the error message comes still. I guess the doc function doesn't provide the authorized information before loading the document. Can anyone help to resolve the problem? BTW, I can't remove the security config.
Thank you!

Cheney

Erik Bruchez

Re: Problem when using doc() load secured URL

Administrator

The doc() function uses internally oxf:url-generator
(URLGenerator.java). In recent builds, this has been modified to use
the same code that was used by xforms:submission to forward
authorization information.

By default, now, xforms:submission, oxf:url-generator and doc() all
should forward the JSESSIONID cookie.

For xforms:submission, by default, the Authorization header is also
forwarded (controllable by a property). oxf:url-generator supports the
<forward-headers> element to specify header forwarding as well but
there is no default.

This leaves the doc() function, which has no way of specifying headers
forwarding. Maybe we need a property to control the default header
forwarding for oxf:url-generator, which should take care of this one
as well.

Can you also try a recent nightly to see if things work out of the box
by any chance?

-Erik

On Aug 18, 2008, at 8:39 PM, cheney zhao wrote:

>
> Hi, Experts,
> When I have a <security-constraint>myapp/lookup/*</security-
> constraint>
> config in my web.xml, the doc() function can't work anymore with the
> following message:
> ----------------------------------
>
> Error Message
> Failed to load document http://localhost:7001/myapp/lookup/BooleanCode
>
> Show details
>
> Hide details
>
> Call Stack
> Resource URL Line Column Description XML Element
> oxf:/dti/core/widgets/lookup.xsl 38 N/A evaluating XPath expression
> expression → doc($full-path)/codes/code
> pushing XForms control binding <xforms:itemset
> nodeset="doc($full-path)/codes/code"
> id="xforms-element-84">...</xforms:itemset>
>
> ----------------------------------
>
> When login successfully, the error message comes still. I guess the
> doc
> function doesn't provide the authorized information before loading the
> document. Can anyone help to resolve the problem? BTW, I can't
> remove the
> security config.
> Thank you!
>
> Cheney
>
> --
> View this message in context: http://www.nabble.com/Problem-when-using-doc%28%29-load-secured-URL-tp19043848p19043848.html
> Sent from the ObjectWeb OPS - Users mailing list archive at
> Nabble.com.
>
>
> --
> You receive this message as a subscriber of the [hidden email]
> mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> OW2 mailing lists service home page: http://www.ow2.org/wws

--
Orbeon Forms - Web Forms for the Enterprise Done the Right Way
http://www.orbeon.com/

--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

cheney zhao

Re: Problem when using doc() load secured URL

Hi, Erik,
Thanks for your reply.
I tried the lastest build. The doc() function still doesn't work when I have a security constraint config.
I print the content of request when the Orbeon framework received request.
here it is:
<request>
<container-type>servlet</container-type>
<container-namespace/>
<content-length>-1</content-length>
<content-type/>
<parameters/>
<body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:base64Binary"></body>
<protocol>HTTP/1.1</protocol>
<remote-addr>127.0.0.1</remote-addr>
<remote-host>localhost</remote-host>
<scheme>http</scheme>
<server-name>localhost</server-name>
<server-port>7011</server-port>
<is-secure>false</is-secure>
<context-path>/myapp/lookup</context-path>
<headers>
<header>
<name>host</name>
<value>localhost:7011</value>
</header>
<header>
<name>user-agent</name>
<value>Jakarta Commons-HttpClient/3.1</value>
</header>
</headers>
<method>GET</method>
<request-uri>/myapp/lookup/PartyRoleCode</request-uri>
<request-url>....</request-url>
<servlet-path>....</servlet-path>
<request-path>...</request-path>
</request>

I notice that it doesn't forward the JSESSIONID cookie.
Can you help me to check this problem?
Thank you!

cheney

Erik Bruchez wrote

The doc() function uses internally oxf:url-generator
(URLGenerator.java). In recent builds, this has been modified to use
the same code that was used by xforms:submission to forward
authorization information.

By default, now, xforms:submission, oxf:url-generator and doc() all
should forward the JSESSIONID cookie.

For xforms:submission, by default, the Authorization header is also
forwarded (controllable by a property). oxf:url-generator supports the
<forward-headers> element to specify header forwarding as well but
there is no default.

This leaves the doc() function, which has no way of specifying headers
forwarding. Maybe we need a property to control the default header
forwarding for oxf:url-generator, which should take care of this one
as well.

Can you also try a recent nightly to see if things work out of the box
by any chance?

-Erik

On Aug 18, 2008, at 8:39 PM, cheney zhao wrote:

>
> Hi, Experts,
> When I have a <security-constraint>myapp/lookup/*</security-
> constraint>
> config in my web.xml, the doc() function can't work anymore with the
> following message:
> ----------------------------------
>
> Error Message
> Failed to load document http://localhost:7001/myapp/lookup/BooleanCode
>
> Show details
>
> Hide details
>
> Call Stack
> Resource URL Line Column Description XML Element
> oxf:/dti/core/widgets/lookup.xsl 38 N/A evaluating XPath expression
> expression → doc($full-path)/codes/code
> pushing XForms control binding <xforms:itemset
> nodeset="doc($full-path)/codes/code"
> id="xforms-element-84">...</xforms:itemset>
>
> ----------------------------------
>
> When login successfully, the error message comes still. I guess the
> doc
> function doesn't provide the authorized information before loading the
> document. Can anyone help to resolve the problem? BTW, I can't
> remove the
> security config.
> Thank you!
>
> Cheney
>
> --
> View this message in context: http://www.nabble.com/Problem-when-using-doc%28%29-load-secured-URL-tp19043848p19043848.html
> Sent from the ObjectWeb OPS - Users mailing list archive at
> Nabble.com.
>
>
> --
> You receive this message as a subscriber of the ops-users@ow2.org
> mailing list.
> To unsubscribe: mailto:ops-users-unsubscribe@ow2.org
> For general help: mailto:sympa@ow2.org?subject=help
> OW2 mailing lists service home page: http://www.ow2.org/wws

--
Orbeon Forms - Web Forms for the Enterprise Done the Right Way
http://www.orbeon.com/

--
You receive this message as a subscriber of the ops-users@ow2.org mailing list.
To unsubscribe: mailto:ops-users-unsubscribe@ow2.org
For general help: mailto:sympa@ow2.org?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws