Local Instance Security?

Hi there,

I've managed to get ODK Aggregate instance deployed into a tomcat
servlet container using a postgres backend. I can see the tables have
been created in postgres, but I am now stuck on some security
settings.

The first time I hit http://localhost:8080/odk/ ... I get redirected
the http://localhost:8080/odk/openid_login.html page, I click on the
"Sign in with Google" button and I am redirected to the Google
accounts "Allow" page. I click allow and am then taken to the main
Aggregate page http://localhost:8080/odk/www/forms with the warning
that "Site Management is NOT SECURE". In the upper right is the link
"Log off anonymous user". I followed those instructions about setting
up the security, but when trying to logout, the link to "log off" goes
to http://localhost:8080/odk/null which is 404.

Seems to me that something is still amiss with the Google OpenID
connection since It looks like I am still an Anonymous user even after
granting permissions. I've tried this with both localhost and
machinename.local .. do I need this on an external IP for OAuth
callback or something similar?

fwiw, this is from an hg checkout and the v1_0 branch

Not sure whats going on here, help appreciated.

Jeff

Hi Jeff,

Looking at the code, it looks like the conf/postgres/odk-settings.xml does
not have the correct definition for the user service. The bean definition
should be:

<bean id="user_service"

class="org.opendatakit.common.security.spring.UserServiceImpl">


This could explain the odd behavior you're seeing. Please revise that
definition, re-generate the jar file, copy it into the war/WEB-INF
directory, and restart tomcat.

The server uses plain OpenID -- I haven't waded into setting up OAuth
functionality yet. The logout link should
send you to //localhost:8080/odk/logout.html (via
//localhost:8080/odk/_spring_security_logout ). The odk/null redirect hints
at the above bean being incorrect.

The logout should work fine for OpenID logins, as it invalidates the
session. Interestingly, that does not invalidate the OpenID cookie, which
persists longer. With most operations, I find you just need to log off and
log back in. At least it works for me within Firefox and within the Eclipse
browser. To invalidate the OpenID cookie, you need to clear the cookies in
your browser.

What browser are you using?

Mitch

··· On Thu, Feb 10, 2011 at 10:11 PM, Jeffrey Johnson wrote:

Hi there,

I've managed to get ODK Aggregate instance deployed into a tomcat
servlet container using a postgres backend. I can see the tables have
been created in postgres, but I am now stuck on some security
settings.

The first time I hit http://localhost:8080/odk/ ... I get redirected
the http://localhost:8080/odk/openid_login.html page, I click on the
"Sign in with Google" button and I am redirected to the Google
accounts "Allow" page. I click allow and am then taken to the main
Aggregate page http://localhost:8080/odk/www/forms with the warning
that "Site Management is NOT SECURE". In the upper right is the link
"Log off anonymous user". I followed those instructions about setting
up the security, but when trying to logout, the link to "log off" goes
to http://localhost:8080/odk/null which is 404.

Seems to me that something is still amiss with the Google OpenID
connection since It looks like I am still an Anonymous user even after
granting permissions. I've tried this with both localhost and
machinename.local .. do I need this on an external IP for OAuth
callback or something similar?

fwiw, this is from an hg checkout and the v1_0 branch

Not sure whats going on here, help appreciated.

Jeff

--
Mitch Sundt
Software Engineer


University of Washington
mitchellsundt@gmail.com

Looking at the code, it looks like the conf/postgres/odk-settings.xml does
not have the correct definition for the user service. The bean definition
should be:

<bean id="user_service"

class="org.opendatakit.common.security.spring.UserServiceImpl">


This could explain the odd behavior you're seeing. Please revise that
definition, re-generate the jar file, copy it into the war/WEB-INF
directory, and restart tomcat.

That did the trick! Thanks.

The server uses plain OpenID -- I haven't waded into setting up OAuth
functionality yet. The logout link should
send you to //localhost:8080/odk/logout.html (via
//localhost:8080/odk/_spring_security_logout ). The odk/null redirect hints
at the above bean being incorrect.

The logout should work fine for OpenID logins, as it invalidates the
session. Interestingly, that does not invalidate the OpenID cookie, which
persists longer. With most operations, I find you just need to log off and
log back in. At least it works for me within Firefox and within the Eclipse
browser. To invalidate the OpenID cookie, you need to clear the cookies in
your browser.

All good now.

What browser are you using?

ff, chrome, safari

Thanks for your help,

Jeff