Posted by
paleandromus on
Mar 04, 2011; 2:52pm
URL: https://discuss.orbeon.com/Authentication-and-Access-Control-in-Orbeon-Builder-tp3335367.html
Hi everyone,
I'm trying to control access to application 'Form Builder' (Access Control for listing and editing forms).
For that I need first user authentication and then control what forms may be modified or not, based on user roles.
To do this, I followed the instructions listed on pages
-
http://www.orbeon.com/orbeon/doc/reference-authentication
-
http://wiki.orbeon.com/forms/doc/developer-guide/form-runner/access-control # TOC-Access-control-for-editing-forms
I use the sample application '/java-authentication/' for user authentication, and authentication works properly.
But managing roles through the file 'form-runner-roles.xml' does not work as expected.
The whole setup is as follows (first try, only users authentication):
tomcat-user.xml (Users in Tomcat)
<tomcat-users>
<role rolename="orbeon-admin"/>
<user name="administrador" password="orbeon" roles="orbeon-admin"/>
</tomcat-users>
web.xml
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Orbeon Builder</web-resource-name>
<url-pattern>/fr/orbeon/builder/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>orbeon-admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/java-authentication/login</form-login-page>
<form-error-page>/java-authentication/login-error</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>orbeon-admin</role-name>
</security-role>
...
form-runner-roles.xml
<roles>
<!-- Default for distribution: give everybody access to every form -->
<role name="*" app="*" form="*"/>
</roles>
Trying to access the list of forms of 'Orbeon Builder' (which is shown by 'Orbeon Runner') http://[localhost]
/orbeon/fr/orbeon/builder/summary, jumps to the authentication form in the url '/java-authentication/', ok, is the expected behavior, once authenticated, appears the summary page of 'Orbeon Builder".
-
Image: Login Form by the app '/java-authentication/
-
Image: User info displayed by the app '/java-authentication/'
-
Image: Session in Tomcat for the user authenticated (administrador)
-
Image: Details of the session in Tomcat for the user
So far all right, but although there is an authenticated user in the context '/orbeon' of Tomcat, 'Form Runner' or 'Form Builder' shows no reference to the user, or when you create or modify forms, user data is not saved in the 'USERNAME' column of the 'ORBEON_FORM_DATA' table, which remains empty although there is an authenticated user.
I tried this in the versions of Orbeon 'Orbeon Forms dev-3.7.1.201008230714' and 'Orbeon Forms Orbeon Forms 3.8.0.201005141841 PE' with the same result.
First question:
Am I missing any configuration for 'Form Builder'or 'Form Runner' to display or use the authenticated user?
Trying to control access to editing the forms, by setting roles and access permissions to applications and forms in the file-runner-roles.xml, this is the configuration I have used in one test made with the user earlier configured:
form-runner-roles.xml
<roles>
<role name="orbeon-admin" app="*" form="*"/>
</roles>
It is assumed that the user 'administrador' which has the role 'orbeon-admin', should have access to edit any form. Is that correct? Well, no way, always appears the message:
You do not have the privileges to access this page.
After doing multiple tests, with multiples users and configurations, if I change the default settings of the file form-runner-roles.xml, the result is that access to any form editing or creation of new forms is blocked for all users (regardless of configuration, the blockade is total), appearing always the message mentioned earlier.
I have a second question:
Am I missing some detail in Orbeon to set or extra deployment to the 'Access control for editings forms' work as it should?
Thank you very much for your attention and help, greetings.