use oxf:xforms-submission to submit URL with user name

Hi,

I am using orbeon xforms with weblogic 10 and add security constraint in web.xml. User needs to login with weblogic user before access the web pages.

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>OK</web-resource-name>
            <description>OK to Connect</description>
            <url-pattern>app/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>RoleName</role-name>
        </auth-constraint>
    </security-constraint>

In a xpl on server side, I use xforms-submission to call another service on the same weblogic server.

    <p:processor name="oxf:xforms-submission">
        <p:input name="submission">
            <xforms:submission xsl:version="2.0" method="post">
                http://jack:password@abc.com/service           ---- there is user name and passowrd
            </xforms:submission>
        </p:input>
        <p:input name="request" href="#service-call"/>
        <p:output name="response" id="core-service-result"/>
    </p:processor>

The problem is:
User logins as "Tom" and gets the pages. In a filter, I get "Tom" from request.getUserPrincipal().getUserName() for each request. But after the xofmr-submission is called. I always got "jack" in user request. It seems the username and password in xforms-submission will replace the login weblogic user.

Can anyone provide information on this problem? Thank you!

James

James,

On Feb 26, 2009, at 4:23 AM, JamesGu wrote:
I must be missing something here: if you explicitly put  
<xforms:submission resource="http://jack:password@.../service">,  
then it is expected for the user you specified in the URI there (Jack)  
to replace the actual user (Tom), isn't it?

Alex
--
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
Orbeon's Blog: http://www.orbeon.com/blog/
Personal Blog: http://avernet.blogspot.com/
Twitter - http://twitter.com/avernet



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

Alex,

Sorry, I did miss the attribute in xforms:submission. I put it in "action". You are right. The user in the URI (Jack) will replace the actual user (Tom) after this processor is called.

Do you know how to avoid this?

    <p:processor name="oxf:xforms-submission"> 
        <p:input name="submission"> 
            <xforms:submission xsl:version="2.0" method="post" action="http://jack:password@abc.com/service"> 
            </xforms:submission> 
        </p:input> 
        <p:input name="request" href="#service-call"/> 
        <p:output name="response" id="core-service-result"/> 
    </p:processor> 

The version I am using is : Orbeon Forms Release 3.7.0beta1.200808240812

Thanks,
James

James,

On Feb 27, 2009, at 2:27 AM, JamesGu wrote:

> Sorry, I did miss the attribute in xforms:submission. I put it in  
> "action".
> You are right. The user in the URI (Jack) will replace the actual  
> user (Tom)
> after this processor is called.

If you don't put the user/password there in the URL, then the XForms  
engine will pass along the Authorization header for the current user.  
I.e. simply having:

<xforms:submission xsl:version="2.0" method="post" action="http://abc.com/service 
">

Alex
--
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
Orbeon's Blog: http://www.orbeon.com/blog/
Personal Blog: http://avernet.blogspot.com/
Twitter - http://twitter.com/avernet



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

Alex,

But it is another service on the same weblogic server, and I need to add some security control on it. The login user have no access to that service.

I think the xforms:submission shouldn't keep the username and password after it is called. What do you think?


Thanks,
James

James,

It may help to refer to the other thread where Eric suggested you use
xforms:submission to send a SOAP request that requires basic
authentication.

-Bill

-----Original Message-----
From: JamesGu [mailto:[hidden email]]
Sent: Sunday, March 01, 2009 8:59 PM
To: [hidden email]
Subject: [dtiSPAM] - [ops-users] Re: Re: use oxf:xforms-submission to
submit URL with user name - Email has different SMTP TO: and MIME TO:
fields in the email addresses


Alex,

But it is another service on the same weblogic server, and I need to add
some security control on it. The login user have no access to that
service.

I think the xforms:submission shouldn't keep the username and password
after it is called. What do you think?


Thanks,
James


--
View this message in context:
http://www.nabble.com/use-oxf%3Axforms-submission-to-submit-URL-with-use
r-name-tp22222965p22280831.html
Sent from the ObjectWeb OPS - Users mailing list archive at Nabble.com.


## Scanned by Delphi Technology, Inc. ##


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

Sorry for the confusion. It was me who posted about using Basic Authentication for a SOAP request. The related posting is http://www.nabble.com/SOAP-delegation-and-Basic-Authentication-tt21550517.html#a21550517

-Bill

James,

On Mar 1, 2009, at 5:59 PM, JamesGu wrote:

> But it is another service on the same weblogic server, and I need to  
> add
> some security control on it. The login user have no access to that  
> service.
>
> I think the xforms:submission shouldn't keep the username and  
> password after
> it is called. What do you think?

Well, let's recap:

1) If you want the current user Authorization to be passed to the  
service, then you don't specify a user in the submission. (It looks  
like this is not what you want.)
2) If you want another username/password to be sent, you specify it  
with xxforms:username and xxforms:password. (I think this is what you  
want.)
3) If you don't want any username/password to be sent, you specify  
xxforms:username="".

Does this help?

Alex
--
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
Orbeon's Blog: http://www.orbeon.com/blog/
Personal Blog: http://avernet.blogspot.com/
Twitter - http://twitter.com/avernet



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

Alex,

Thank you for your suggestion!

I use xxforms:username and xxforms:password and it works well. The user in xxforms:username won't replace the login user.

<p:processor name="oxf:xforms-submission">
    <p:input name="submission">
    <xforms:submission method="post" action="http://test.com/coreservice" separator="&amp;" xxforms:username="jack" xxforms:password="password"/>
    </p:input>
    <p:input name="request" href="#request"/>
    <p:output name="response" id="response"/>
</p:processor>


I also use these two attributes on xforms:instance. It works well, too.

<xforms:instance id="test" src="http://test.com/coreservice" xxforms:username="jack" xxforms:password="password"/>


Thanks,
James

James,

On Mar 4, 2009, at 11:38 PM, JamesGu wrote:

> I use xxforms:username and xxforms:password and it works well.

Glad this works for you.

> I also use these two attributes on xforms:instance. It works well,  
> too.
>
> <xforms:instance id="test" src="http://test.com/coreservice"
> xxforms:username="jack" xxforms:password="password"/>

I don't think those attributes on the <xforms:instance> will be used,  
so you should just be able to remove those there.

Alex
--
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
Orbeon's Blog: http://www.orbeon.com/blog/
Personal Blog: http://avernet.blogspot.com/
Twitter - http://twitter.com/avernet



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws

Alex,

I tested it in my application and these two attributes work on xforms:instance. If I remove these two attribute, it throws out a 401 error, so I believe they are used. The version I am using is "Orbeon Forms Release 3.7.0beta1.200808240812". Could you please check it?

Error message:
Got invalid return code while loading URI: http://localhost:7001/service, 401


I aslo find this message on your website.

http://www.orbeon.com/ops/doc/home-changes-35

3.8. XForms Submission Enhancements
HTTP authentication for instances and submissions. xforms:instance and xforms:submission support the xxforms:username and xxforms:password to supply authorization credentials when using HTTP.


Thanks,
James

James,

JamesGu wrote

I tested it in my application and these two attributes work on xforms:instance. If I remove these two attribute, it throws out a 401 error, so I believe they are used. The version I am using is "Orbeon Forms Release 3.7.0beta1.200808240812". Could you please check it?

My bad: yes they are used when loading the initial instance pointed to by the "src" attribute. They are not used by the <xforms:submission> and I had that part in mind :). So you are good; you should keep those attribute.

Alex

Alex,

That's great. Thank you very much for your help!

James