Reposting as this somehow ended up on the wrong thread first time:

Hi,

I’ve just migrated from Orbeon Forms 3.7beta to 3.8.0.201005141856  and I’ve been having problems with the authentication for my migrated apps.

I’ve reproduced the problem by making modifications to the sample ”java-authentication” example [modified version attached]

Basically, I’ve added  a submission / pipeline which is triggered by xforms-ready. It just puts some data into a new instance in the model (addresses-instance).

I also changed the security-constraint in web.xml, adding a wildcard to the url-pattern:

    <security-constraint>

        <web-resource-collection>

            <web-resource-name>Authentication example</web-resource-name>

            <url-pattern>/java-authentication/*</url-pattern>

        </web-resource-collection>

        <auth-constraint>

            <role-name>orbeon-admin</role-name>

        </auth-constraint>

    </security-constraint>

The issue is that, when my security constraint in the web.xml file covers both the web form and the XPL service, the login screen seems to be triggered for both in succession: First for the form when I attempt to load it (no problem) but also again for the XPL service when it is triggered by the xforms-ready event. This makes the submission fail because the system tries to replace my addresses-instance with the login form (“Body received with non-XML media type for replace="instance": text/html”). The pipeline itself never runs.  It’s as if the initial authentication, triggered by initially loading the form, was not complete before the xforms-ready event fired.

If I reload the form, it works fine, as I’m already authenticated

This issue didn’t occur in version 3.7beta.

I’m running on apache tomcat version 5.5.26, JVM version 1.5.0_12-b04.

The problem, as demonstrated in the attached app, does not always occur the first time you run it after a tomcat restart. If you log out you then see the problem every subsequent time you first access the application after a logout. [http://localhost:8080/orbeon/java-authentication/]

Has anyone else seen such authentication issues in version 3.8.0?

Regards,

    Alan.