Open ebruchez opened 9 years ago
Comment from duplicate #1872 which I just closed:
The Form Runner persistence API needs to know about the current user (username, roles, and group) to return meaningful results. For this information to be available to the API when it is called by a 3rd-party application, currently Orbeon Forms needs to be deployed twice:
We would like to avoid the need to deploy Orbeon Forms twice. One way to do this would be to:
war
, disabling authentication for the services (this is already what is being done by default).Orbeon-Username
, Orbeon-Group
, and Orbeon-Roles
in the response.Do we have a workaround for this, or not? If not, then we need to implement this quickly.
Here is a concrete scenario causing problems:
orbeon-auth
webapporbeon-service
role appliesFormRunnerAuthFilter
Reopening until we have properly tested.
UPDATE 2022-03-28 @avernet: See @ebruchez's 2021-08-02 comment for concrete use case.
UPDATE 2022-03-28: RESOLUTION: We will change the
FormRunnerAuthFilter
not to filter theOrbeon-Username
,Orbeon-Roles
, andOrbeon-Group
for requests to/fr/service/*
. This way, services callers will be able to make queries "on behalf of someone". Also, customers can set up their authorizer to altogether reject requests with those headers set, of check that the values of the headers are allowed depending on some custom logic.See #2275 for the a concrete issue.
Orbeon-Username
,Orbeon-Group
, andOrbeon-Roles
.Questions:
FormRunnerAuthFilter
. But service authorization is done by the PFC. If the PFC obtains headers, how should they be passed? Maybe by wrapping theExternalContext
inPageOrServiceRoute.process()
, so that they are in effect only for the rest of the request./fr/service
to call the authorizer and set the headers?