Mercurial > hg > digilib
view auth.html @ 1659:fe8300fdcd9d
Creating site for 2.5-SNAPSHOT
| author | Robert Casties <casties@mpiwg-berlin.mpg.de> |
|---|---|
| date | Mon, 20 Nov 2017 20:24:00 +0000 |
| parents | 636e7342b1b6 |
| children | 1beeb9319d78 |
line wrap: on
line source
<!DOCTYPE html> <!-- | Generated by Apache Maven Doxia at 2017-11-20 | Rendered using Apache Maven Fluido Skin 1.3.0 --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="Date-Revision-yyyymmdd" content="20171120" /> <meta http-equiv="Content-Language" content="en" /> <title>digilib - The Digital Image Library – Access control</title> <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" /> <link rel="stylesheet" href="./css/site.css" /> <link rel="stylesheet" href="./css/print.css" media="print" /> <script type="text/javascript" src="./js/apache-maven-fluido-1.3.0.min.js"></script> </head> <body class="topBarDisabled"> <div class="container-fluid"> <div id="banner"> <div class="pull-left"> <a href="https://robcast.github.io/digilib/" id="bannerLeft"> <h2>digilib - a versatile image viewing environment for the internet</h2> </a> </div> <div class="pull-right"> <a href="https://robcast.github.io/digilib/" id="bannerRight"> <img src="images/digilib-logo-small.png" /> </a> </div> <div class="clear"><hr/></div> </div> <div id="breadcrumbs"> <ul class="breadcrumb"> <li id="publishDate">Last Published: 2017-11-20</li> <li class="divider">|</li> <li id="projectVersion">Version: 2.5-SNAPSHOT</li> </ul> </div> <div class="row-fluid"> <div id="leftColumn" class="span3"> <div class="well sidebar-nav"> <ul class="nav nav-list"> <li class="nav-header">Overview</li> <li> <a href="index.html" title="About digilib"> <i class="none"></i> About digilib</a> </li> <li> <a href="features.html" title="digilib features"> <i class="none"></i> digilib features</a> </li> <li> <a href="digilib-short.html" title="How digilib works"> <i class="none"></i> How digilib works</a> </li> <li> <a href="history.html" title="Ancient history"> <i class="none"></i> Ancient history</a> </li> <li class="nav-header">Installation</li> <li> <a href="build-maven.html" title="Building digilib"> <i class="none"></i> Building digilib</a> </li> <li> <a href="install-digilib.html" title="Installing digilib"> <i class="none"></i> Installing digilib</a> </li> <li> <a href="server-setups.html" title="Server setups"> <i class="none"></i> Server setups</a> </li> <li class="nav-header">Configuration</li> <li> <a href="digilib-config.html" title="Configuring digilib"> <i class="none"></i> Configuring digilib</a> </li> <li> <a href="image-directories.html" title="Directory layout"> <i class="none"></i> Directory layout</a> </li> <li> <a href="java-settings.html" title="Java settings and tuning"> <i class="none"></i> Java settings and tuning</a> </li> <li class="active"> <a href="#"><i class="none"></i>Access control</a> </li> <li class="nav-header">Development</li> <li> <a href="scaler-api.html" title="The digilib Scaler API"> <i class="none"></i> The digilib Scaler API</a> </li> <li> <a href="iiif-api.html" title="The digilib IIIF API"> <i class="none"></i> The digilib IIIF API</a> </li> <li> <a href="client-integration.html" title="Integrating digilib into your page"> <i class="none"></i> Integrating digilib into your page</a> </li> <li> <a href="plugins.html" title="Digilib plugins"> <i class="none"></i> Digilib plugins</a> </li> <li class="nav-header">Project Documentation</li> <li> <a href="project-info.html" title="Project Information"> <i class="icon-chevron-right"></i> Project Information</a> </li> </ul> <hr class="divider" /> <div id="poweredBy"> <div class="clear"></div> <div class="clear"></div> <div class="clear"></div> <a href="http://maven.apache.org/" title="Built by Maven" class="builtBy"> <img class="builtBy" alt="Built by Maven" src="https://maven.apache.org/images/logos/maven-feather.png" /> </a> <a href="../../" title="Hosted by GitHub" class="builtBy"> <img class="builtBy" alt="Hosted by GitHub" src="https://assets-cdn.github.com/images/modules/logos_page/GitHub-Logo.png" width="200px" /> </a> <a href="http://www.sourceforge.net/" title="Hosted by SourceForge" class="builtBy"> <img class="builtBy" alt="Hosted by SourceForge" src="https://upload.wikimedia.org/wikipedia/commons/0/0b/Sourceforge_logo.png" /> </a> </div> </div> </div> <div id="bodyColumn" class="span9" > <h1>Access control</h1> <p>If all your images are free and available to everybody or if your server is not reachable from the internet then congratulations, you can run digilib without authorization: Leave the <a href="digilib-config.html">digilib-config</a> setting </p> <div class="source"> <div class="source"> <pre>use-authorization=false </pre></div></div> <p>and ignore the rest of this chapter.</p> <p>But if you have some images that are freely available and others that should be only visible to some users then you need to set</p> <div class="source"> <div class="source"> <pre>use-authorization=true </pre></div></div> <p>and configure digilib’s authentication and authorization mechanism.</p> <div class="section"> <h2><a name="Authentication_and_authorization"></a>Authentication and authorization</h2> <p>digilib has different mechanisms for the tasks of <i>authentication</i> - establishing the identity of the user requesting the image (more accurately the roles associated to this identity) - and <i>authorization</i> - establishing the rules for accessing specific images (the roles required to access the image).</p> <p>The authe<b>n</b>tication mechanism is implemented by the digilib.auth.Auth<b>n</b>Ops interface implemented through the class configured in the <tt>digilib-config</tt> parameter <tt>authnops-class</tt> while the authori<b>z</b>ation mechanism is implemented by the digilib.auth.Auth<b>z</b>Ops interface implemented through the class configured in <tt>authzops-class</tt>.</p> <p>All authentication and authorization classes are configured through different elements in the XML config file</p> <div class="source"> <div class="source"> <pre>digilib-auth.xml </pre></div></div> <p>in the <tt>WEB-INF</tt> directory (the file name can be configured with the <tt>digilib-config</tt> parameter <tt>auth-file</tt>).</p> <p>In short: you need to set both <tt>authnops-class</tt> and <tt>authzops-class</tt> in <tt>digilib-config</tt> with two of the classes described below (or implement your own) and create a <tt>digilib-auth.xml</tt> file with the configuration for the chosen implementations.</p> <div class="section"> <h3><a name="Authentication:_IpAuthnOps"></a>Authentication: IpAuthnOps</h3> <p><tt>digilib.auth.IpAuthnOps</tt> assigns roles based on the IP address of the user requesting the image. This works well for situations where all users of the local network are allowed to access resources. The class reads the tag <tt>digilib-adresses</tt> from <tt>digilib-auth.xml</tt>:</p> <div class="source"> <div class="source"> <pre><digilib-addresses> <address ip="130.92.68" role="eastwood-coll,ptolemaios-geo" /> <address ip="130.92.151" role="wtwg" /> <address ip="0:0:0:0:0:0:0:1" role="local" /> </digilib-addresses> </pre></div></div> <p>A computer with an ip address that matches <tt>ip</tt> is automatically granted all roles under <tt>role</tt>. The ip address is matched from the left (in full quads). Roles under “role” must be separated by comma only (no spaces). </p> <p>Caution: If you run your Servlet Container (Tomcat) behind Apache or another reverse proxy then Tomcat only sees the IP address of the proxy server for all connections. You need to configure Tomcat to honor the <tt>X-Forwarded-For</tt> and <tt>X-Forwarded-Proto</tt> headers.</p></div> <div class="section"> <h3><a name="Authentication:_IpServletAuthnOps"></a>Authentication: IpServletAuthnOps</h3> <p><tt>digilib.auth.IpServletAuthnOps</tt> assigns roles based on the IP address of the user requesting the image (see <tt>IpAuthnOps</tt> above) and uses the <tt>ServletRequest.isUserInRole()</tt> function of the Servlet Container if the roles provided by the IP address are not sufficient.</p> <p>Using authentication information from the Servlet Container requires that the Servlet Container is configured for authentication. For information about this please refer to the documentation of your Servlet Container.</p> <p>For Tomcat 8 there is documentation at (<a class="externalLink" href="https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html)[https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html">https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html)[https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html</a>] Note that you need to configure a <tt><security-constraint></tt> in <tt>web.xml</tt> to force the server to ask for a password (there is an old example in <tt>web-additional.xml</tt>).</p></div> <div class="section"> <h3><a name="Authentication:_OpenIdAuthnOps"></a>Authentication: OpenIdAuthnOps</h3> <p><tt>digilib.auth.OpenIdAuthnOps</tt> assigns roles based on an <a class="externalLink" href="http://openid.net/">OpenId-Connect</a> token passed with the request. The token can be passed either in the URL parameter <tt>id_token</tt> or as a cookie with the name <tt>id_token</tt> (the name of the cookie can be configured with the <tt>digilib-config</tt> parameter <tt>authn-token-cookie</tt>).</p> <p>The class reads the tag <tt>digilib-oauth</tt> from <tt>digilib-auth.xml</tt>:</p> <div class="source"> <div class="source"> <pre><digilib-oauth> <openid issuer="https://id.some.where" clientid="myclient" roles="openid-users" keytype="jwk"> {"kty":"RSA","e":"AQAB","kid":"rsa1","alg":"RS256","n":"qt6yOiI_wCoCVlGO0MySsez...Lf9by7TGw"} </openid> </digilib-oauth> </pre></div></div> <p>The <tt>openid</tt> tag defines roles (in <tt>role</tt>, separated by comma only, no spaces) that will be granted to the user that provides a valid token from the given server. The server is identified by the url in <tt>issuer</tt>, the client id in <tt>clientid</tt> and the public key of the server in JWK format as content of the tag. There can be multiple <tt>openid</tt> tags.</p> <p>To set up a connection with an OpenId-Connect identity server you usually have to enter the URL of your digilib instance as a redirect URL and the client id that you chose and make sure that the server answers requests with <tt>response_type=id_token</tt>. The public key of the server in JWK format can often be requested from the server by adding <tt>/jwk</tt> to the URL.</p> <p>To automatically authenticate with OpenId in the digilib Javascript frontend you can use the digilib plugin <tt>jquery.digilib.oauth.js</tt> and configure it with the URL of the ID server as <tt>authServerUrl</tt> and the client id as <tt>authClientId</tt>. This will give you an extra login button that authenticates the user by redirecting her to the ID server. You can additionally set <tt>authOnErrorMode</tt> to true to automatically authenticate the user whenever the image from the digilib server doesn’t load which is usually caused by missing authentication (there is an example in <tt>jquery/digilib-auth.html</tt>).</p></div> <div class="section"> <h3><a name="Authentication:_IpOpenIdAuthnOps"></a>Authentication: IpOpenIdAuthnOps</h3> <p><tt>digilib.auth.IpOpenIdAuthnOps</tt> assigns roles based on the IP address of the user requesting the image (see <tt>IpAuthnOps</tt> above) and uses an OpenId-Connect token passed with the request (see <tt>OpenIdAuthnOps</tt> above) if the roles provided by the IP address are not sufficient.</p></div> <div class="section"> <h3><a name="Authorization:_PathAuthzOps"></a>Authorization: PathAuthzOps</h3> <p><tt>digilib.auth.PathAuthzOps</tt> requests roles based on the directory path of the requested image. All images in the given directory and all its subdirectories can be accessed only if the user can provide one of the requested roles.</p> <p>The class reads the tag <tt>digilib-paths</tt> from <tt>digilib-auth.xml</tt>:</p> <div class="source"> <div class="source"> <pre><digilib-paths> <path name="histast/eastwood-collection" role="eastwood-coll"/> <path name="documents/nonpublic" role="openid-user,eastwood-coll"/> </digilib-paths> </pre></div></div> <p>A user must supply one of the roles in <tt>role</tt> to access the directory in <tt>name</tt>. Roles in <tt>role</tt> must be separated by comma only (no spaces).</p></div> <div class="section"> <h3><a name="Authorization:_MetaAccessAuthzOps"></a>Authorization: MetaAccessAuthzOps</h3> <p><tt>digilib.auth.MetaAccessAuthzOps</tt> requests roles using “access” information in the file metadata.</p> <p>This requires a <tt>FileMeta</tt> implementation (configured in the <tt>filemeta-class</tt> parameter of <tt>digilib-config</tt>) that provides an <tt>access</tt> key in the metadata returned by <tt>DocuDirent.getMeta().getFileMeta()</tt> like <tt>digilib.meta.IndexMetaFileMeta</tt>.</p> <p>The class reads the tag <tt>digilib-access</tt> from <tt>digilib-auth.xml</tt>: </p> <div class="source"> <div class="source"> <pre><digilib-access> <access type="group:mpiwg" role="mpiwg-user"/> <access type="default" role=""/> </digilib-access> </pre></div></div> <p>A user must supply one of the roles in <tt>role</tt> to access any object with a metadata access value matching <tt>type</tt>. Roles in <tt>role</tt> must be separated by comma only (no spaces).</p> <p>The access type <tt>default</tt> is special, it applies to all objects without metadata access information.</p> <p><tt>digilib.meta.IndexMetaFileMeta</tt> reads XML files conforming to the <a class="externalLink" href="http://intern.mpiwg-berlin.mpg.de/digitalhumanities/mpiwg-metadata-documentation/formate/indexmeta-standard">“index.meta” specification</a> and extracts image information from the <tt>meta/img</tt> tag and access information from the <tt>meta/access-conditions</tt> tag (see also class <tt>digilib.meta.IndexMetaAuthLoader</tt>).</p></div></div> </div> </div> </div> <hr/> <footer> <div class="container-fluid"> <div class="row span12">Copyright © 2001-2017 <a href="https://robcast.github.io/digilib/">digilib Community</a>. All Rights Reserved. </div> </div> </footer> </body> </html>