# HG changeset patch # User robcast # Date 1473335780 -7200 # Node ID b330eafffed6673882fdd4a14df2d8bf52f3b8fd # Parent 08d64f3d1f7650ad2d82003a113fb63de64ac0da# Parent 3a11aadd443c90444245e59e989e5793729f32a7 Merge with 3a11aadd443c90444245e59e989e5793729f32a7 diff -r 3a11aadd443c -r b330eafffed6 doc/src/site/markdown/auth.md --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/src/site/markdown/auth.md Thu Sep 08 13:56:20 2016 +0200 @@ -0,0 +1,62 @@ +# digilib image permissions + +If all your images are free and available to everybody or if your server is not +reachable from the internet then congratulations, you can run digilib without +authorization. You can leave the [digilib-config](digilib-config.html) setting + + use-authorization=false + +and ignore the rest of this chapter. + +But if you have some images that are freely available and others +that should be only visible to some users then you need to configure digilib's +authentication and authorization mechanism and set + + use-authorization=true + +## Authentication and authorization + +digilib has different mechanisms for the tasks of *authentication* - establishing +the identity of the user requesting the image (more accurately the roles associated to +this identity) - and *authorization* - establishing the rules for accessing specific +images (the roles required to access the image). + +The authe**n**tication mechanism is implemented by the digilib.auth.Auth**n**Ops interface +implemented through the class configured in the `digilib-config` parameter +`authnops-class` while the auhtori**z**ation mechanism is implemented by the +digilib.auth.Auth**z**Ops interface implemented through the class configured in +`authzops-class`. + +All authentication and authorization classes are configured through different elements +in the common config file + + digilib-auth.xml + +in the `WEB-INF` directory. + +### Authentication: IpAuthnOps + +`digilib.auth.IpAuthnOps` assigns roles based on the IP address of the user requesting the +image. This works well for situations where all users of the local network are allowed to +access resources. The class reads the tag `digilib-adresses` from `digilib-auth.xml`: + + +
+
+
+ + +A computer with an ip address that matches "ip" is automatically granted all roles under "role". +The ip address is matched from the left (in full quads). Roles under "role" must be separated by comma only (no spaces). + +Caution: If you run your Servlet Container (Tomcat) behind Apache or another reverse proxy +then Tomcat only sees the IP-Address of the Apache server for all connections. You need to +configure Tomcat to honor the `X-Forwarded-For` and `X-Forwarded-Proto` headers. + +### Authentication: IpServletAuthnOps + +`digilib.auth.IpServletAuthnOps` assigns roles based on the IP Address of the user requesting +the image (see `IpAuthnOps` above) and uses the `ServletRequest.isUserInRole()` function of +the Servlet Container if the roles provided by the IP address are not sufficient. + + diff -r 3a11aadd443c -r b330eafffed6 webapp/src/main/webapp/jquery/digilib-ann.html --- a/webapp/src/main/webapp/jquery/digilib-ann.html Tue Sep 06 19:11:38 2016 +0200 +++ b/webapp/src/main/webapp/jquery/digilib-ann.html Thu Sep 08 13:56:20 2016 +0200 @@ -40,13 +40,13 @@ // URL of annotation server 'annotationServerUrl' : '//localhost:18080/AnnotationManagerN4J/annotator', // are annotations read-only? - 'annotationsReadOnly' : false, + 'annotationsReadOnly' : true, // URL of authentication token server - 'annotationTokenUrl' : 'http://localhost:8080/test/annotator/token/getLoginToken', + //'annotationTokenUrl' : 'http://localhost:8080/test/annotator/token/getLoginToken', // list of Annotator plugins - 'annotatorPlugins' : ['Auth', 'GroupPermissions', 'Markdown', 'DigilibIntegrator', 'Store'] + //'annotatorPlugins' : ['Auth', 'GroupPermissions', 'Markdown', 'DigilibIntegrator', 'Store'] //'annotatorPlugins' : ['Auth', 'Permissions', 'Markdown', 'DigilibIntegrator', 'Store'] - //'annotatorPlugins' : ['Store', 'Markdown', 'DigilibIntegrator'] + 'annotatorPlugins' : ['Store', 'Markdown', 'DigilibIntegrator'] }; var $div = $('div#digilib'); $div.digilib(opts); diff -r 3a11aadd443c -r b330eafffed6 webapp/src/main/webapp/jquery/digilib-auth.html --- a/webapp/src/main/webapp/jquery/digilib-auth.html Tue Sep 06 19:11:38 2016 +0200 +++ b/webapp/src/main/webapp/jquery/digilib-auth.html Thu Sep 08 13:56:20 2016 +0200 @@ -31,7 +31,7 @@