Token-based permissions
[SINCE Orbeon Forms 2023.1]
This is an Orbeon Forms PE feature.
This feature allows you to specify that a user can access form data with readonly or read-write permissions, provided that they are provided a link containing a permission token.
This feature is not enabled by default. To enable it for a given form, you must set form permissions that include at least one "Require token" permission ("Read" or "Update"), either from Form Builder or using global permission configuration properties.

Form Builder Permissions
Here is an example of configuration property:
<property as="xs:string" name="oxf.fr.permissions.acme.*">
{
"anyone": [ "create" ],
"anyone-with-token": [ "read", "update" ],
"roles": {
"orbeon-admin": [ "read", "update", "delete", "list" ]
}
}
</property>
In addition, a password must be configured for token encryption in your
properties-local.xml
. This is done with the oxf.fr.access-token.password
property:<property
as="xs:string"
name="oxf.fr.access-token.password"
value="CHANGE THIS PASSWORD"/>
Finally, you must also set a token validity duration. This is expressed in minutes with the
oxf.fr.access-token.validity
property:<property
as="xs:integer"
name="oxf.fr.access-token.validity.*.*"
value="60"/>
For security reasons, by default the validity is set to 0 and tokens will be generated, but they will expire immediately, making them unusable.
You must change the default password or Form Runner will generate an error when attempting to use the password. You must also change it to a strong enough password if password strength checks are enabled, see
oxf.crypto.check-password-strength
.Links use the
oxf.fr.external-base-url
to specify the external based URL to use:<property
as="xs:string"
name="oxf.fr.external-base-url"
value="https://orbeon.acme.org/forms"/>
You generate a link containing a token in one of two ways, described below.
When using a template (for an Explanation control, label, email, or other), you can choose the "Generate token URL parameter" for "View page" or "Edit page" links.

Linking to a page with a token
When enabled with the
oxf.fr.navbar.share-button.enable
property, you can use the "Share" icon in the Form Runner navbar. This opens a dialog allowing you to configure and share a link with a token.<property
as="xs:boolean"
name="oxf.fr.navbar.share-button.enable.*.*"
value="true"/>

Share icon and dialog
The dialog allows the user to decide whether to share a readonly link or a read-write link (if the user itself has the "Update" permission). The link can simply be copied with the "Copy link" icon button.
If you believe that tokens have been compromised, or if you simply want to make sure there are no outstanding tokens, you can immediately expire all tokens by changing the
oxf.fr.access-token.password
property. This will cause all incoming tokens to be considered invalid.Last modified 5mo ago