Submission & Exist
Locked
 
|
I don't know if this is related to exist... or my submission.
I see that you can define user permissions on files (and collection) in Exist. I have a basic xhtml file where I can enter data... and a save button : <xforms:submission id="save-submission" ref="instance('news-instance')" action="/exist/rest/db/cgc/news.xml" method="put" replace="none"/> It will stock the information in news.xml. Every thing works fine if the "world" permission is granted which I don't want to let. Before reaching this page, a user has to authenticate (home made). Let's say user A. In exist, user A is part of group B. Now how come it won't let me write on news.xml if the group defined is group B. I suppose the submission has no clue that I am user A of group B. How do I add this information ? Thanks! |
|
Administrator
|
You can pass user and password information in submissions. Either on the
URL in the action: action="http://username:password@.../rest/db" or with extension attributes on xforms:submission: xxforms:username="username" xxforms:password="password" -Erik StephR wrote: > I don't know if this is related to exist... or my submission. > > I see that you can define user permissions on files (and collection) in > Exist. > > I have a basic xhtml file where I can enter data... and a save button : > > <xforms:submission id="save-submission" ref="instance('news-instance')" > action="/exist/rest/db/cgc/news.xml" method="put" replace="none"/> > > It will stock the information in news.xml. Every thing works fine if the > "world" permission is granted which I don't want to let. Before reaching > this page, a user has to authenticate (home made). Let's say user A. In > exist, user A is part of group B. > > Now how come it won't let me write on news.xml if the group defined is group > B. I suppose the submission has no clue that I am user A of group B. How do > I add this information ? > > Thanks! > -- Orbeon Forms - Web Forms for the Enterprise Done the Right Way http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
|
|
I didn't think I could use this in
a xhtml file (the examples you give come from the processors-submission
example).
Added the information but it still doesn't work. <xforms:submission id="save-submission" ref="instance('news-instance')" method="put" replace="none" action="/exist/rest/db/cgc/news.xml"
separator="&" xxforms:username="a" xxforms:password="a" />
User a is part of group B... and I put the group B with full rights on the file news.xml. So what's the problem ? I anticipate the next step : here username & password are written in hard, the idea would be the take this information from the scope session no? If yes, how to do so in a xhtml file ? I think it's not possible, so I would have to use a xpl processor no ? Thanks ++ Erik Bruchez a écrit : You can pass user and password information in submissions. Either on the URL in the action: -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
|
Administrator
|
Stephane,
On 10/25/07, Stephane Ruchet <[hidden email]> wrote: > <xforms:submission id="save-submission" ref="instance('news-instance')" > method="put" replace="none" > action="/exist/rest/db/cgc/news.xml" > separator="&" xxforms:username="a" xxforms:password="a" /> I recommend you use tcpmon (http://ws.apache.org/commons/tcpmon/) to check what is going on between Orbeon Forms and eXist. Is the authorization header sent? What is eXist responding? > User a is part of group B... and I put the group B with full rights on the > file news.xml. So what's the problem ? > I anticipate the next step : here username & password are written in hard, > the idea would be the take this information from the scope session no? > If yes, how to do so in a xhtml file ? I think it's not possible, so I would > have to use a xpl processor no ? Try using AVTs in the xxforms:username and xxforms:password if the value is not static. I.e. xxforms:username="{instance('user-info')/login}". Then you just need to get the information about the current user in an instance. You could implement a service that returns it and call it with a submission on xforms-ready. Alex -- Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
|
|
>
> I recommend you use tcpmon (http://ws.apache.org/commons/tcpmon/) to > check what is going on between Orbeon Forms and eXist. Is the > authorization header sent? What is eXist responding? > Mmmm... as I don't know what is the authorisation header, I suppose it is missing :)! In TCPmon, I have the following : User-Agent: Jakarta Commons-HttpClient/3.0.1 Host: 127.0.0.1:3333 Content-Length: 657 <?xml version="1.0" encoding="UTF-8"?><news xmlns:ev="http://www.w3.org/2001/xml-events" xmlns:xforms="http://www.w3.org/2002/xforms" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xxforms="http://orbeon.org/oxf/xml/xforms"> <item> <subject>test test</subject> <date>2007-10-26</date> <contributors>test</contributors> <content>a test</content> <comment/> <status/> </item> </news> on the top window... and on the bottom one, I have : HTTP/1.1 403 Document exists and update is not allowed Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Length: 1091 Date: Tue, 30 Oct 2007 13:51:20 GMT <html><head><title>Apache Tomcat/6.0.14 - Rapport d'erreur</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>Etat HTTP 403 - Document exists and update is not allowed</h1><HR size="1" noshade="noshade"><p><b>type</b> Rapport d'état</p><p><b>message</b> <u>Document exists and update is not allowed</u></p><p><b>description</b> <u>L'accès à la ressource demandée (Document exists and update is not allowed) a été interdit.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/6.0.14</h3></body></html> In the users.xml file of exists, passwords are coded with the md5 algorithm... but in my submission, I put the normal password. Could it come from this? If yes, how can I simulate the password... can I just copy-paste the password for the users.xml file in my submission ? > Try using AVTs in the xxforms:username and xxforms:password if the > value is not static. I.e. > xxforms:username="{instance('user-info')/login}". Then you just need > to get the information about the current user in an instance. You > could implement a service that returns it and call it with a > submission on xforms-ready. I don't even know what are AVTs... I'll check to find some info.... Thanks! -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
|
Administrator
|
Stephane,
On 10/30/07, Stephane Ruchet <[hidden email]> wrote: > Mmmm... as I don't know what is the authorisation header, I suppose it > is missing :)! The presence of the Authorization header would tell you that Orbeon Forms is sending a login/password to eXist. In the absence of that header, in general when authentication is required, web server respond with a challenge and the client resubmits the request with the Authorization header. But in this case eXist might expect to have the Authorization header right away and doesn't send back a challenge to the client when the header is not present. Can you try to access the protected REST URL with a clean browser (with which you are not already authenticated with the application or eXist) to see if you are prompted for a login/password by the browser, or if you directly get an "authorization denied" page from eXist? > I don't even know what are AVTs... I'll check to find some info.... AVT refers to the syntax {xpath} that you can use in some attributes. Whatever is inside the curly braces is evaluated as an XPath expression and the result of the evaluation replaces the {xpath}. You may have seen this already in XSLT. Alex -- Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
|
|
Hi,
I had to change eXist configuration to always require authentication (do not allow guest user) or it would never ask for username/password. eXist will automatically authorize a guest user if no username/password is sent in HTTP header. Necessary eXist configuration lines where hidden deep in their mailing list. But there is a drawback, you won't be able to access eXist without authorization, even if permissions are set to world readable. It would be better if Orbeon always sent an authorization header when username/password are provided. Jurgis Alessandro Vernet wrote: Stephane, On 10/30/07, Stephane Ruchet [hidden email] wrote: -- Jurģis Lukss SIA "Mikrokods" mob. 26458439 -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
|
|
In reply to this post by Alessandro Vernet
I'm lost for a change.
Here are more info : My goal is to update this following page : /exist/rest/db/cgc/news.xml. If I put the full address in the address bar, I have an "Etat HTTP 403 - Not Allowed to read resource" which is normal because I disactivated the guess privileges on this file. News.xhtml : <head> [...] <xforms:submission id="save-submission" ref="instance('news-instance')" method="put" replace="none" action="/exist/rest/db/cgc/news.xml" separator="&" xxforms:username="a" xxforms:password="a" /> </xforms:model> </head> <body> [...] <xforms:submit submission="save-submission"> <xforms:label>Save</xforms:label> </xforms:submit> [...] For now, I do not understand how to bind the information from my session scope to this submission... so my first goal is to enter static information for username & password. In the collection system of Exist, file users.xml, I have the following information : <user name="a" uid="4" password="{MD5}JdVa0oOqQAr0ZMdtcTwHrQ==" digest-password="d2b1e3cf9fc93f0abf99fce600a63638" home="/db/cgc"> <group>cgc-user</group> </user> I put the group "cgc-user" with full rights on the file news.xml. Now as the password is coded in MD5, I do not know what should I put in my password input of my submission (certainly not "a"). But I copy paste the password, and that doesn't help either. At no moment does the navigator asks me for a login or a password as you mention, so I suppose I get a direct "authorization denied" from Exist. Alessandro Vernet a écrit : Stephane, On 10/30/07, Stephane Ruchet [hidden email] wrote: -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
|
|
In reply to this post by Jurģis Lukss-2
Necessary eXist configuration lines where hidden deep in their mailing listLet's go hunting ;)! But there is a drawback, you won't be able to access eXist without authorization, even if permissions are set to world readable. It would be better if Orbeon always sent an authorization header when username/password are provided.This is a drawback if there is information that is public no? And even in this case, you could specify a user "guest" as a user of Exist I suppose... Jurģis Lukss a écrit : Hi, -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
|
|
> Let's go hunting ;)! Good luck! ;) It was an old post about "new" user-level access control in eXist and there was a pointer on how to turn off default user. > This is a drawback if there is information that is public no? And even > in this case, you could specify a user "guest" as a user of Exist I > suppose... This is problem if you have a content, that is public and read-only, but needs to be updated by authorized user. You can make a guest user, but eXist will always ask for this user and that won't work if your read-only client is not able to use HTTP authentication. Jurgis -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
|
|
So what are you telling me ... I
shouldn't use submissions, but Xqueries ?
Jurģis Lukss a écrit :
-- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
|
|
Actually there is a problem only if you want to use HTTP PUT method and
replace xml data entirely. It can be done using XQuery, and it seems that XQuery does not use any access control at all, but still you will want HTTP authentication when using HTTP PUT method. Jurgis Stephane Ruchet wrote: > So what are you telling me ... I shouldn't use submissions, but Xqueries ? > > Jurģis Lukss a écrit : > > > >> Let's go hunting ;)! > > Good luck! ;) It was an old post about "new" user-level access control in > > eXist and there was a pointer on how to turn off default user. > > > >> This is a drawback if there is information that is public no? And even in > >> this case, you could specify a user "guest" as a user of Exist I suppose... > > This is problem if you have a content, that is public and read-only, but needs > > to be updated by authorized user. You can make a guest user, but eXist will > > always ask for this user and that won't work if your read-only client is not > > able to use HTTP authentication. > > > > Jurgis > -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
|
Administrator
|
In reply to this post by Jurģis Lukss-2
On 10/30/07, Jurģis Lukss <[hidden email]> wrote:
> I had to change eXist configuration to always require authentication (do > not allow guest user) or it would never ask for username/password. eXist > will automatically authorize a guest user if no username/password is sent in > HTTP header. Very interesting. Maybe eXist assumes that you not providing a username/password indicates that you are trying to access the database as guest. When guest is not allowed, eXist can rule out this possibility and will ask for a username/password if none is provided. > Necessary eXist configuration lines where hidden deep in their > mailing list. But there is a drawback, you won't be able to access eXist > without authorization, even if permissions are set to world readable. It > would be better if Orbeon always sent an authorization header when > username/password are provided. Yes. Definitely. Erik changed some of this code recently and this should work now. Could you try this again with a nightly build? Alex -- Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help OW2 mailing lists service home page: http://www.ow2.org/wws |
«
Return to Orbeon Forms community mailing list
|
1 view|%1 views
| Free forum by Nabble | Edit this page |