xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/j2ee">
<display-name>Optional authorizer for Orbeon Forms</display-name>
See "Authorization of pages and services" in the Orbeon Forms doc:
https://doc.orbeon.com/xml-platform/controller/authorization-of-pages-and-services.html
<servlet-name>orbeon-authorizer-servlet</servlet-name>
<servlet-class>org.orbeon.oxf.controller.AuthorizerServlet</servlet-class>
<!-- The authorizer servlet handles any request -->
<servlet-name>orbeon-authorizer-servlet</servlet-name>
<url-pattern>/*</url-pattern>
<!-- Example: require that all external requests to Form Runner services are
authenticated with BASIC authentication and have the orbeon-service role.
Block any other request. -->
<web-resource-collection>
<web-resource-name>Form Runner services</web-resource-name>
<url-pattern>/fr/service/*</url-pattern>
</web-resource-collection>
<role-name>orbeon-service</role-name>
<web-resource-collection>
<web-resource-name>Everything else</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- Make sure there is an empty auth-constraint to require authentication.
But since there are no constraints specified, authentication will always
<auth-method>BASIC</auth-method>
<role-name>orbeon-service</role-name>