Search code examples
orbeon

Orbeon make Authorization header optional

I have a single, embedded orbeon instance, behind a spring gateway with JWT security. This works well, for the orbeon builder, I need to forward the Authorization header to make the things working properly. But for the form-runner, now I have a requirement: for some forms the authentication is required, for some others it is not. It is possible to configure the Orbeon in the following way: if the Authorization header is present, forward it, if not, do nothing (just load the form and let it fill)?

This is the settings for header forwarding in my properties-local-prod.xml

  <property
        as="xs:string"
        name="oxf.http.forward-headers"
        value="Authorization"/>
  <property
        as="xs:string"
        name="oxf.xforms.forward-submission-headers"
        value="Authorization token allowDraft"/>
  <property
        as="xs:string"
        name="oxf.fr.authentication.method"
        value="header"/>

At now I got the default Orbeon unauthorized page.

I got 401 when I am trying to open the embedded from-runner without authentication (obviously there is nothing to send towards to orbeon). I found this in orbeon log:

  HTTP status code 401 {controller: "oxf:/apps/fr/page-flow.xml", method: "GET", path: 
 "/fr/app/form/edit/myforminstanceid", status-code: "401"}

A possible solution would be if it would be possible to define some kind of run context that can be applied per form definition basis, like prod-auth, prod-public (unfortunately these should be active parallelly as we have a single Orbeon instance). (Further thinking the already available run modes, e.g. for the same set of forms I should be able to define that the save-draft is visible for autenticated users, but not for the anonymous users... although I have already solved this with some not-that-nice javascript magic.)

Solution

  • Orbeon itself does not do anything when one put a similar config to the properties-prod.xml, just forwards the given headers.

    Albeit the default Orbeon Forms logging could be better (about the further HTTP calls to be aware what is happening in the background), there was that single line in the log what it did when the request arrived. As it turned out, my custom backend (persistence layer) expected the Authorization header.

    I had to put to my spring security config a (/contextRoot/orbeon).permitAll() and it started to work.