Form Runner Access Control

Access control for Orbeon Forms 4.x

This documentation has moved.

Legacy: access control for deployed forms with Orbeon Forms 3.9

You control access to forms entirely based on paths. For this discussion, let's assume that:
  1. You deployed Orbeon Forms on /orbeon. (You can choose to deploy Orbeon Forms on any context, including just on /.)
  2. You have two applications (or group of forms), which correspond to two services of your company: hr and sales.
  3. HR has a number of forms including one called expense-report.

Given this, here is how paths will look like:

Path
Description
/orbeon/fr/hr/expense-report/new To create a new expense report.
/orbeon/fr/hr/expense-report/edit/{id} To edit an expense report having that given, system-generated id.
/orbeon/fr/hr/expense-report/summary To view all the submitted expense reports.


Now, consider the following access rules you might want to put in place:

What you want
How to implement it
All the employes should be able to create a new expense report. Give access to /orbeon/fr/hr/expense-report/new to any authenticated employee.
Only HR persons should be able to view or edit submitted expense reports. Restrict access to /orbeon/fr/hr/expense-report/edit/* and /orbeon/fr/hr/expense-report/summary to authenticated users with the appropriate "HR" role defined in your authentication system.
Only persons in the sales department should be able to access the any of the forms in the sales app. Restrict access to /orbeon/fr/sales/* to authenticated users with the appropriate "sales" role defined in your authentication system.

One possible way is to do this within the web.xml file:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Expense report: new</web-resource-name>
        <url-pattern>/fr/hr/expense-report/new</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>orbeon-user</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Expense report: summary and edit</web-resource-name>
        <url-pattern>/orbeon/fr/hr/expense-report/summary</url-pattern>
        <url-pattern>/fr/hr/expense-report/edit/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>orbeon-hr</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Sales forms: all pages</web-resource-name>
        <url-pattern>/fr/sales/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>orbeon-sales</role-name>
    </auth-constraint>
</security-constraint>

For more information about this web.xml configuration, please refer to the Java EE documentation, for example this tutorial.