|
1528
|
1 # digilib image permissions
|
|
|
2
|
|
|
3 If all your images are free and available to everybody or if your server is not
|
|
|
4 reachable from the internet then congratulations, you can run digilib without
|
|
|
5 authorization. You can leave the [digilib-config](digilib-config.html) setting
|
|
|
6
|
|
|
7 use-authorization=false
|
|
|
8
|
|
|
9 and ignore the rest of this chapter.
|
|
|
10
|
|
|
11 But if you have some images that are freely available and others
|
|
|
12 that should be only visible to some users then you need to configure digilib's
|
|
|
13 authentication and authorization mechanism and set
|
|
|
14
|
|
|
15 use-authorization=true
|
|
|
16
|
|
|
17 ## Authentication and authorization
|
|
|
18
|
|
|
19 digilib has different mechanisms for the tasks of *authentication* - establishing
|
|
|
20 the identity of the user requesting the image (more accurately the roles associated to
|
|
|
21 this identity) - and *authorization* - establishing the rules for accessing specific
|
|
|
22 images (the roles required to access the image).
|
|
|
23
|
|
|
24 The authe**n**tication mechanism is implemented by the digilib.auth.Auth**n**Ops interface
|
|
|
25 implemented through the class configured in the `digilib-config` parameter
|
|
|
26 `authnops-class` while the auhtori**z**ation mechanism is implemented by the
|
|
|
27 digilib.auth.Auth**z**Ops interface implemented through the class configured in
|
|
|
28 `authzops-class`.
|
|
|
29
|
|
|
30 All authentication and authorization classes are configured through different elements
|
|
|
31 in the common config file
|
|
|
32
|
|
|
33 digilib-auth.xml
|
|
|
34
|
|
|
35 in the `WEB-INF` directory.
|
|
|
36
|
|
|
37 ### Authentication: IpAuthnOps
|
|
|
38
|
|
|
39 `digilib.auth.IpAuthnOps` assigns roles based on the IP address of the user requesting the
|
|
|
40 image. This works well for situations where all users of the local network are allowed to
|
|
|
41 access resources. The class reads the tag `digilib-adresses` from `digilib-auth.xml`:
|
|
|
42
|
|
|
43 <digilib-addresses>
|
|
|
44 <address ip="130.92.68" role="eastwood-coll,ptolemaios-geo" />
|
|
|
45 <address ip="130.92.151" role="wtwg" />
|
|
|
46 <address ip="0:0:0:0:0:0:0:1" role="local" />
|
|
|
47 </digilib-addresses>
|
|
|
48
|
|
|
49 A computer with an ip address that matches "ip" is automatically granted all roles under "role".
|
|
|
50 The ip address is matched from the left (in full quads). Roles under "role" must be separated by comma only (no spaces).
|
|
|
51
|
|
|
52 Caution: If you run your Servlet Container (Tomcat) behind Apache or another reverse proxy
|
|
|
53 then Tomcat only sees the IP-Address of the Apache server for all connections. You need to
|
|
|
54 configure Tomcat to honor the `X-Forwarded-For` and `X-Forwarded-Proto` headers.
|
|
|
55
|
|
|
56 ### Authentication: IpServletAuthnOps
|
|
|
57
|
|
|
58 `digilib.auth.IpServletAuthnOps` assigns roles based on the IP Address of the user requesting
|
|
|
59 the image (see `IpAuthnOps` above) and uses the `ServletRequest.isUserInRole()` function of
|
|
|
60 the Servlet Container if the roles provided by the IP address are not sufficient.
|
|
|
61
|
|
|
62
|
