0

When I was trying to add an image to an orbeon form, I found that in some cases works fine, and in other does not.

For example, a simple code with a form that uses a remote image by URL:

<xh:html xmlns:xh="http://www.w3.org/1999/xhtml" xmlns:xf="http://www.w3.org/2002/xforms"
     xmlns:xs="http://www.w3.org/2001/XMLSchema"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:ev="http://www.w3.org/2001/xml-events"
     xmlns:xi="http://www.w3.org/2001/XInclude"
     xmlns:xxi="http://orbeon.org/oxf/xml/xinclude"
     xmlns:xxf="http://orbeon.org/oxf/xml/xforms"
     xmlns:exf="http://www.exforms.org/exf/1-0"
     xmlns:fr="http://orbeon.org/oxf/xml/form-runner"
     xmlns:saxon="http://saxon.sf.net/"
     xmlns:sql="http://orbeon.org/oxf/xml/sql"
     xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
     xmlns:fb="http://orbeon.org/oxf/xml/form-builder">
<xh:head>
    <xh:title>Form with Image by URL</xh:title>
    <xf:model id="fr-form-model" xxf:expose-xpath-types="true">

        <!-- Main instance -->
        <xf:instance id="fr-form-instance" xxf:exclude-result-prefixes="#all">
            <form>
                <section-1>
                    <control-3>http://media2.giphy.com/avatars/aap/gjQXEptJHq99.gif</control-3>
                </section-1>
            </form>
        </xf:instance>

        <!-- Bindings -->
        <xf:bind id="fr-form-binds" ref="instance('fr-form-instance')">
            <xf:bind id="section-1-bind" name="section-1" ref="section-1">
                <xf:bind id="control-3-bind" ref="control-3" name="control-3" type="xf:anyURI"/>
            </xf:bind>
        </xf:bind>

        <!-- Metadata -->
        <xf:instance xxf:readonly="true" id="fr-form-metadata" xxf:exclude-result-prefixes="#all">
            <metadata>
                <application-name>UrlImage</application-name>
                <form-name>UrlImage</form-name>
                <title xml:lang="en">Form with Image by URL</title>
                <description xml:lang="en"/>
                <singleton>false</singleton>
            </metadata>
        </xf:instance>

        <!-- Attachments -->
        <xf:instance id="fr-form-attachments" xxf:exclude-result-prefixes="#all">
            <attachments>
                <css mediatype="text/css" filename="" size=""/>
                <pdf mediatype="application/pdf" filename="" size=""/>
            </attachments>
        </xf:instance>

        <!-- All form resources -->
        <!-- Don't make readonly by default in case a service modifies the resources -->
        <xf:instance id="fr-form-resources" xxf:readonly="false" xxf:exclude-result-prefixes="#all">
            <resources>
                <resource xml:lang="en">
                    <section-1>
                        <label>Untitled Section</label>
                    </section-1>
                    <control-3>
                        <label>This is a remote image</label>
                    </control-3>
                </resource>
            </resources>
        </xf:instance>

        <!-- Utility instances for services -->
        <xf:instance id="fr-service-request-instance" xxf:exclude-result-prefixes="#all">
            <request/>
        </xf:instance>

        <xf:instance id="fr-service-response-instance" xxf:exclude-result-prefixes="#all">
            <response/>
        </xf:instance>

    </xf:model>
</xh:head>
<xh:body>
    <fr:view>
        <fr:body xmlns:xbl="http://www.w3.org/ns/xbl"
                 xmlns:oxf="http://www.orbeon.com/oxf/processors"
                 xmlns:p="http://www.orbeon.com/oxf/pipeline">
            <fr:section id="section-1-control" bind="section-1-bind">
                <xf:label ref="$form-resources/section-1/label"/>
                <fr:grid>
                    <xh:tr>

                        <xh:td>
                            <xf:output id="control-3-control" bind="control-3-bind" mediatype="image/*">
                                <xf:label ref="$form-resources/control-3/label"/>

                                <!-- No hint? -->
                    <xf:alert ref="$fr-resources/detail/labels/alert"/>
                            </xf:output>
                        </xh:td>
                    </xh:tr>
                </fr:grid>
            </fr:section>
        </fr:body>
    </fr:view>
</xh:body>
</xh:html>

The important part is the URL http://media2.giphy.com/avatars/aap/gjQXEptJHq99.gif, that works fine. But if you use a secure connection like https://media2.giphy.com/avatars/aap/gjQXEptJHq99.gif is not able to obtain the image.

I am not sure, maybe the problem is similar to this one Trusting all certificates using HttpClient over HTTPS

This is something that can be override by the configuration? Can I use an image by using the URL from a https site without adding the certificate for each server in my java store?

Community
  • 1
  • 1
King Midas
  • 1,442
  • 4
  • 29
  • 50

2 Answers2

0

There are properties to configure that, but you have to be careful, because in general you really shouldn't trust all certificates!

Your example of https://media2.giphy.com/avatars/aap/gjQXEptJHq99.gif works from Chrome without warning or error, for example, so I would expect it to work from the JVM as well. Maybe the JVM is not configured with the same set of CAs as the browser. In which case the JVM can be configured to add some, although it's a bit tricky.

ebruchez
  • 7,760
  • 6
  • 29
  • 41
  • No JVM is not using the same certificates that the browser. Uses its own [certification store](http://javacolors.blogspot.com.es/2012/05/how-to-register-ssl-certificates-in.html). But I will take a look on the `browser-compatible` option to see if it solves the problem. – King Midas Dec 15 '15 at 08:50
  • Ok, none `browser-compatible` or `allow-all` options does the trick. This parameters, if I have understood correctly, are related to connecting to the Orbeon server from a browser client using https, but is not for adding a remote image by URL in a orbeon form. Then probably is using a JVM cert as any Java client. This is correct? – King Midas Dec 15 '15 at 09:32
  • Not that parameter is about the HTTP client in Orbeon Forms, when connecting to external services. – ebruchez Dec 15 '15 at 19:55
  • Then I am not able to make it works. Changing this parameter in my orbeon configuration does not change the behaviour. Only adding the server certificate to the keystore does the trick. – King Midas Dec 16 '15 at 11:19
  • I think that makes sense because `allow-all` only avoids checking that the host name matches, but would still reject a completely invalid certificate. – ebruchez Dec 16 '15 at 15:19
  • Ok then this explains the behaviour. For the solution, for now I only can do in the way explained in my own answer. If I only have a limited set of servers, it is possible to do on this way, but if I want to allow any server not. In my case, for now, I am using my custom image server but can be a problem in the future. – King Midas Dec 17 '15 at 09:49
0

Probably this behaviour is due to Orbeon does not uses the image URL directly, making a intermediate processing in the Orbeon "server-media".

Ok, seems that at the end, it only works if I add the certificate to the keystore of orbeon defined in oxf.http.ssl.keystore.uri. But this is only valid if I know the servers from where the images will be linked. Not a valid solution to link any image from any server. Java allows to disable this behaviour. Is it possible in Orbeon?

King Midas
  • 1,442
  • 4
  • 29
  • 50
  • Which behavior are you asking to disable? – ebruchez Dec 15 '15 at 19:56
  • The check if a certificate is valid or not. – King Midas Dec 16 '15 at 11:17
  • Got it. However the certificate appears valid, or Chrome wouldn't load it when pointing directly to the image, would it? – ebruchez Dec 16 '15 at 15:17
  • With Mozilla and Chrome I can load directly the image without any issue. Probably due to has already the certificate in its own repository. Java uses different certificate storage (and therefore can have a different sets of certificates) – King Midas Dec 17 '15 at 09:43
  • And that's probably just the issue. Maybe the solution is to upgrade to the latest version of Java. The list the top-level root CA [here](http://certificate.fyicenter.com/121_Java_VM_Root_CA_List_of_Certificates_in_Java_Trusted_Keystor.html). – ebruchez Dec 17 '15 at 18:37