0

I turned on security authentication in my orbeon app and now I log in remotely to the app via rest api (I send post request on url https://localhost:8444/orbeon/j_security_check). Now I want to logout from my app but I don't know where to send the request. I would check what happen (what http request is issued) after I click logout button but there is no logout button in orbeon. All I found in documentation is this:

<p:processor name="oxf:session-invalidator"/>

but I have no idea how to use it. Please help

piechos
  • 123
  • 2
  • 10

1 Answers1

0

Since you mention j_security_check, I imagine that you've setup FORM-based authentication in Orbeon Forms' web.xml. Note that you're here in pure "servlet territory"; there isn't much of this that is specific to the Orbeon Forms web app in particular. Since you're using FORM-based authentication, the server knows who you are after you logged in because the browser sends the JSESSIONID cookie Tomcat set when you logged in. To logout, you want to tell Tomcat "invalidate that session". To do so:

  • The simplest way is most likely to write a JSP that calls session.invalidate().
  • If you're already doing things with XPL within Orbeon Forms, you can write an XPL file that calls the <p:processor name="oxf:session-invalidator"/> and hook that XPL to a URL through the page flow.
Community
  • 1
  • 1
avernet
  • 30,895
  • 44
  • 126
  • 163
  • I am using wildfly not tomcat. When I use session.invalidate() it's just logging me out of my app (orbeon is attached to my app in iframe) and not logging out of orbeon app. How can I use the second option? Where should I add this piece of code: ?? Can I find some documentation for it? – piechos Jan 26 '16 at 08:14
  • @piechos So you seem to have your app deployed alongside Orbeon Forms; are you using separate deployment or using the Form Runner API to embed forms? (The latter is recommended, if that option works for you.) – avernet Jan 26 '16 at 17:07
  • I have separate deployment. I have my app in one war file and orbeon in another war file. In addition I use orbeon embedded API in some places of my app. But I just want to logout. Is there any REST API which I can use to it? The problem is that I wanna log in and log out from orbeon when I log in and log out from my app respectively. – piechos Jan 26 '16 at 23:22
  • @piechos I think this is very much related to what we're discussing on http://stackoverflow.com/questions/35012728/orbeon-security-doesnt-work-correctly-for-orbeon-embedded-api. As mentioned there: you shouldn't need to log into `/orbeon`. And if you don't, then there is no need to logout ;). Obviously, you'll want to protect `/orbeon` somehow, and make it totally inaccessible to users, say through a filter, or firewall, or a setup in your reverse proxy if you have one. – avernet Jan 27 '16 at 05:09
  • I have to log into /orbeon because I use orbeon as separate war as well. In the top you mentioned I'm using orbeon embedded api, but here in this topic I have problem with orbeon which I use as separate war and I just have in my app as simple iframe in which I have /orbeon – piechos Jan 27 '16 at 07:40
  • @piechos Users accessing `/orbeon` in addition to your `/backoffice` as well might be a problem. May I ask why using the embedding API is not enough. If you could just use the embedding API, then you would avoid this problem. But of course, I'm not excluding that use cases for also accessing `/orbeon` directly exist, in which case those are things we might want to think about. – avernet Jan 27 '16 at 17:31
  • It is not enough because in the iframe I have orbeon builder and as far as I know there is no embedde API for orbeon builder. Am I right? – piechos Jan 28 '16 at 22:44
  • Like you said, Orbeon Forms currently don't support embedding of Form Builder (see https://github.com/orbeon/orbeon-forms/issues/2435). If Orbeon Forms did support that, you wouldn't have this problem. But as things stand now, you have user accessing 2 web apps, and if you want to keep authentication in sync, what you really need is single sign-on. Since you're using Tomcat, if I were you I'd try to use Tomcat's single sign-on, which should be pretty easy to put in place (https://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Single_Sign_On). – avernet Jan 29 '16 at 18:32
  • If this is still relevant, Form Builder embedding using the Java embedding API is implemented for Orbeon Forms 2016.3 (see [#2435](https://github.com/orbeon/orbeon-forms/issues/2435)) – ebruchez Dec 13 '16 at 00:42