view doc/src/site/markdown/auth.md @ 1528:08d64f3d1f76

beginning of auth documentation.
author robcast
date Thu, 08 Sep 2016 13:53:42 +0200
parents
children 70e1225fe08c
line wrap: on
line source

# digilib image permissions

If all your images are free and available to everybody or if your server is not
reachable from the internet then congratulations, you can run digilib without 
authorization. You can leave the [digilib-config](digilib-config.html) setting 

	use-authorization=false

and ignore the rest of this chapter.

But if you have some images that are freely available and others 
that should be only visible to some users then you need to configure digilib's
authentication and authorization mechanism and set

	use-authorization=true
  
## Authentication and authorization

digilib has different mechanisms for the tasks of *authentication* - establishing
the identity of the user requesting the image (more accurately the roles associated to
this identity) - and *authorization* - establishing the rules for accessing specific
images (the roles required to access the image).

The authe**n**tication mechanism is implemented by the digilib.auth.Auth**n**Ops interface
implemented through the class configured in the `digilib-config` parameter
`authnops-class` while the auhtori**z**ation mechanism is implemented by the
digilib.auth.Auth**z**Ops interface implemented through the class configured in
`authzops-class`.

All authentication and authorization classes are configured through different elements
in the common config file

	digilib-auth.xml
	
in the `WEB-INF` directory.

### Authentication: IpAuthnOps

`digilib.auth.IpAuthnOps` assigns roles based on the IP address of the user requesting the
image. This works well for situations where all users of the local network are allowed to
access resources. The class reads the tag `digilib-adresses` from `digilib-auth.xml`:

	<digilib-addresses>
 	  <address ip="130.92.68" role="eastwood-coll,ptolemaios-geo" />
	  <address ip="130.92.151" role="wtwg" />
	  <address ip="0:0:0:0:0:0:0:1" role="local" />
	</digilib-addresses>

A computer with an ip address that matches "ip" is automatically granted all roles under "role".
The ip address is matched from the left (in full quads). Roles under "role" must be separated by comma only (no spaces). 

Caution: If you run your Servlet Container (Tomcat) behind Apache or another reverse proxy
then Tomcat only sees the IP-Address of the Apache server for all connections. You need to
configure Tomcat to honor the `X-Forwarded-For` and `X-Forwarded-Proto` headers.

### Authentication: IpServletAuthnOps

`digilib.auth.IpServletAuthnOps` assigns roles based on the IP Address of the user requesting
the image (see `IpAuthnOps` above) and uses the `ServletRequest.isUserInRole()` function of 
the Servlet Container if the roles provided by the IP address are not sufficient.