Orbeon Forms community mailing list
Login  Register

Re: Re: Orbeon and Apache auth - need help

Posted by Alexey Vasyukov on Dec 18, 2010; 4:25pm
URL: https://discuss.orbeon.com/Orbeon-and-Apache-auth-need-help-tp3085802p3093775.html

Hello Erik.

Many thanks for the advice. It made my config more structured. :-) However, it was not the cause of the problem. As I just understood, the issue in my setup was the following.

I have Apache and Tomcat with Orbeon deployed. I'd like Apache to handle all security-related procedures. So I have users in Apache and path-based security policy in Apache and no security configuration in Tomcat at all. In this setup after successfull login in Apache user can not access any resources (see my previous letter in this thread).

The cause of the problem was auth header forwarded by Apache to Tomcat. In this scenario Tomcat act like this:
- Extract user and password from auth header
- Compare them with internal database
- Not found (of course not found, in my setup Tomcat knows nothing about users at all! )
- Send 401 responce

I fixed it by adding in httpd.conf:
     RequestHeader unset Authorization
In this case Apache does not forward auth header and everything works.


Best regards,
Alexey Vasyukov


2010/12/18 Erik Bruchez <[hidden email]>
Alexey,

Try setting in properties-local.xml the
oxf.url-rewriting.service.base-uri to point to your app server, i.e.
"http://localhost:8080/orbeon" assuming that's where the Orbeon Forms
webapp resides.

http://wiki.orbeon.com/forms/doc/developer-guide/configuration-properties/configuration-properties-base#TOC-oxf.url-rewriting.service.base-uri

This will make Form Runner/Form Builder services call Orbeon directly
instead of going through thee Apache front-end.

-Erik

On Mon, Dec 13, 2010 at 9:26 AM, Alexey Vasyukov <[hidden email]> wrote:
> Hi folks.
> Could anybody help me how to secure Form Builder from unauthorised access?
> I tried to do it using Apache front-end as described
> at http://wiki.orbeon.com/forms/doc/user-guide/form-runner-user-guide#TOC-Form-Runner-access-and-authenticati
> I have in httpd conf:
>     <LocationMatch /orbeon-3.8.0.post.201012130847-CE/fr/orbeon/builder>
>         AuthType Basic
>         AuthName "Orbeon Forms"
>         AuthUserFile /var/www/htpasswd
>         Require valid-user
>     </LocationMatch>
> (Complete conf is below if necessary).
> It allows anonymous user to access published forms and requires auth for
> Form Builder access - great.
> But after I enter correct login/password I see empty summary of Form Builder
> (no form definitions). In orbeon.log I see the following:
> 2010-12-13 19:56:55,077 INFO  ProcessorService  -
> /fr/service/exist/search/orbeon/builder - Received request
> 2010-12-13 19:56:55,330 ERROR XFormsServer  - xforms-submit-error - response
> {status code: "401"}
> 2010-12-13 19:56:55,331 ERROR XFormsServer  - xforms-submit-error - response
> headers {content-type: "text/html;charset=utf-8", connection: "close",
> www-authenticate: "Basic realm="exist"", content-length: "954", date: "Mon,
> 13 Dec 2010 16:56:55 GMT"}
> ...(Complete log is below.)...
> It looks like accessing eXist requires some kind of credentials now. But
> why? LocationMatch should not match.
> Could anybody please tell me what I did wrong?
>
> Best regards,
> Alexey
> P.S. I use version from git now but I encounter the same problem on 3.8.0
> CE/PE.
> =================================
> Complete entry in httpd.conf
> =================================
> <VirtualHost *:80>
>     ServerAdmin [hidden email]
>     ServerName www.example.com
>     ErrorLog logs/proxy-error_log
>     CustomLog logs/proxy-access_log common
>     ProxyRequests Off
>     ProxyPreserveHost On
>     ProxyPass /orbeon-3.8.0.post.201012130847-CE
> ajp://localhost:9090/orbeon-3.8.0.post.201012130847-CE
>     ProxyPassReverse /orbeon-3.8.0.post.201012130847-CE
> ajp://localhost:9090/orbeon-3.8.0.post.201012130847-CE
>     <LocationMatch /orbeon-3.8.0.post.201012130847-CE/fr/orbeon/builder>
>         AuthType Basic
>         AuthName "Orbeon Forms"
>         AuthUserFile /var/www/htpasswd
>         Require valid-user
>     </LocationMatch>
> </VirtualHost>
> =================================
>
> =================================
> Complete error in orbeon.log
> =================================
> 2010-12-13 19:56:55,077 INFO  ProcessorService  -
> /fr/service/exist/search/orbeon/builder - Received request
> 2010-12-13 19:56:55,330 ERROR XFormsServer  - xforms-submit-error - response
> {status code: "401"}
> 2010-12-13 19:56:55,331 ERROR XFormsServer  - xforms-submit-error - response
> headers {content-type: "text/html;charset=utf-8", connection: "close",
> www-authenticate: "Basic realm="exist"", content-length: "954", date: "Mon,
> 13 Dec 2010 16:56:55 GMT"}
> 2010-12-13 19:56:55,335 ERROR XFormsServer  - xforms-submit-error - setting
> body string {body: "
> <html><head><title>Apache Tomcat/5.5.27 - Error report</title><style><!--H1
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
> H2
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
> H3
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
> BODY
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
> P
> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
> {color : black;}A.name {color : black;}HR {color : #525D76;}--></style>
> </head><body><h1>HTTP Status 401 - </h1><HR size="1"
> noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b>
> <u></u></p><p><b>description</b> <u>This request requires HTTP
> authentication ().</u></p><HR size="1" noshade="noshade"><h3>Apache
> Tomcat/5.5.27</h3></body></html>"}
> 2010-12-13 19:56:55,351 ERROR XFormsServer  - xforms-submit-error - setting
> throwable {throwable:
> "org.orbeon.oxf.xforms.submission.XFormsSubmissionException:  (processing
> submission response): xforms:submission for submission id:
> fr-default-submission, error code received when submitting instance: 401
> null, line -1, column -1: xforms:submission for submission id:
> fr-default-submission, error code received when submitting instance: 401
> at
> org.orbeon.oxf.xforms.submission.XFormsModelSubmission.getReplacer(XFormsModelSubmission.java:659)
> at
> org.orbeon.oxf.xforms.submission.RegularSubmission$1.call(RegularSubmission.java:104)
> at
> org.orbeon.oxf.xforms.submission.RegularSubmission$1.call(RegularSubmission.java:76)
> at
> org.orbeon.oxf.xforms.submission.BaseSubmission.submitCallable(BaseSubmission.java:218)
> at
> org.orbeon.oxf.xforms.submission.RegularSubmission.connect(RegularSubmission.java:127)
> at
> org.orbeon.oxf.xforms.submission.XFormsModelSubmission.doSubmit(XFormsModelSubmission.java:444)
> =================================
>
> --
> You receive this message as a subscriber of the [hidden email] mailing
> list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> OW2 mailing lists service home page: http://www.ow2.org/wws
>
>


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws




--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws
Free forum by Nabble Edit this page