# HG changeset patch
# User robcast
# Date 1473335780 -7200
# Node ID b330eafffed6673882fdd4a14df2d8bf52f3b8fd
# Parent  08d64f3d1f7650ad2d82003a113fb63de64ac0da# Parent  3a11aadd443c90444245e59e989e5793729f32a7
Merge with 3a11aadd443c90444245e59e989e5793729f32a7

diff -r 3a11aadd443c -r b330eafffed6 doc/src/site/markdown/auth.md
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc/src/site/markdown/auth.md	Thu Sep 08 13:56:20 2016 +0200
@@ -0,0 +1,62 @@
+# digilib image permissions
+
+If all your images are free and available to everybody or if your server is not
+reachable from the internet then congratulations, you can run digilib without 
+authorization. You can leave the [digilib-config](digilib-config.html) setting 
+
+	use-authorization=false
+
+and ignore the rest of this chapter.
+
+But if you have some images that are freely available and others 
+that should be only visible to some users then you need to configure digilib's
+authentication and authorization mechanism and set
+
+	use-authorization=true
+  
+## Authentication and authorization
+
+digilib has different mechanisms for the tasks of *authentication* - establishing
+the identity of the user requesting the image (more accurately the roles associated to
+this identity) - and *authorization* - establishing the rules for accessing specific
+images (the roles required to access the image).
+
+The authe**n**tication mechanism is implemented by the digilib.auth.Auth**n**Ops interface
+implemented through the class configured in the `digilib-config` parameter
+`authnops-class` while the auhtori**z**ation mechanism is implemented by the
+digilib.auth.Auth**z**Ops interface implemented through the class configured in
+`authzops-class`.
+
+All authentication and authorization classes are configured through different elements
+in the common config file
+
+	digilib-auth.xml
+	
+in the `WEB-INF` directory.
+
+### Authentication: IpAuthnOps
+
+`digilib.auth.IpAuthnOps` assigns roles based on the IP address of the user requesting the
+image. This works well for situations where all users of the local network are allowed to
+access resources. The class reads the tag `digilib-adresses` from `digilib-auth.xml`:
+
+	<digilib-addresses>
+ 	  <address ip="130.92.68" role="eastwood-coll,ptolemaios-geo" />
+	  <address ip="130.92.151" role="wtwg" />
+	  <address ip="0:0:0:0:0:0:0:1" role="local" />
+	</digilib-addresses>
+
+A computer with an ip address that matches "ip" is automatically granted all roles under "role".
+The ip address is matched from the left (in full quads). Roles under "role" must be separated by comma only (no spaces). 
+
+Caution: If you run your Servlet Container (Tomcat) behind Apache or another reverse proxy
+then Tomcat only sees the IP-Address of the Apache server for all connections. You need to
+configure Tomcat to honor the `X-Forwarded-For` and `X-Forwarded-Proto` headers.
+
+### Authentication: IpServletAuthnOps
+
+`digilib.auth.IpServletAuthnOps` assigns roles based on the IP Address of the user requesting
+the image (see `IpAuthnOps` above) and uses the `ServletRequest.isUserInRole()` function of 
+the Servlet Container if the roles provided by the IP address are not sufficient.
+
+
diff -r 3a11aadd443c -r b330eafffed6 webapp/src/main/webapp/jquery/digilib-ann.html
--- a/webapp/src/main/webapp/jquery/digilib-ann.html	Tue Sep 06 19:11:38 2016 +0200
+++ b/webapp/src/main/webapp/jquery/digilib-ann.html	Thu Sep 08 13:56:20 2016 +0200
@@ -40,13 +40,13 @@
                     // URL of annotation server
                     'annotationServerUrl' : '//localhost:18080/AnnotationManagerN4J/annotator',
                     // are annotations read-only?
-                    'annotationsReadOnly' : false,
+                    'annotationsReadOnly' : true,
                     // URL of authentication token server
-                    'annotationTokenUrl' : 'http://localhost:8080/test/annotator/token/getLoginToken',
+                    //'annotationTokenUrl' : 'http://localhost:8080/test/annotator/token/getLoginToken',
                     // list of Annotator plugins
-                    'annotatorPlugins' : ['Auth', 'GroupPermissions', 'Markdown', 'DigilibIntegrator', 'Store']
+                    //'annotatorPlugins' : ['Auth', 'GroupPermissions', 'Markdown', 'DigilibIntegrator', 'Store']
                 	//'annotatorPlugins' : ['Auth', 'Permissions', 'Markdown', 'DigilibIntegrator', 'Store']
-                    //'annotatorPlugins' : ['Store', 'Markdown', 'DigilibIntegrator']
+                    'annotatorPlugins' : ['Store', 'Markdown', 'DigilibIntegrator']
                 };
                 var $div = $('div#digilib');
                 $div.digilib(opts);
diff -r 3a11aadd443c -r b330eafffed6 webapp/src/main/webapp/jquery/digilib-auth.html
--- a/webapp/src/main/webapp/jquery/digilib-auth.html	Tue Sep 06 19:11:38 2016 +0200
+++ b/webapp/src/main/webapp/jquery/digilib-auth.html	Thu Sep 08 13:56:20 2016 +0200
@@ -31,7 +31,7 @@
         <script type="text/javascript">
             $(document).ready(function(){
                 var opts = {
-                    authServerUrl : 'http://localhost:18080/ldap-openid-connect-server/authorize',
+                    authServerUrl : 'http://localhost:18080/openid-connect-server-webapp/authorize',
                     authClientId : 'client',
                     authOnErrorMode : true
                 };
@@ -45,7 +45,7 @@
     <body>
         <div id="digilib">
             <p>digilib doesn't work! Please switch on Javascript or notify the server administrator!</p>
-            <img src="http://digilib.sourceforge.net/images/digilib-logo-big.png" />
+            <!-- <img src="http://digilib.sourceforge.net/images/digilib-logo-big.png" /> -->
         </div>
     </body>
 </html>
diff -r 3a11aadd443c -r b330eafffed6 webapp/src/main/webapp/jquery/jquery.digilib.annotator.js
--- a/webapp/src/main/webapp/jquery/jquery.digilib.annotator.js	Tue Sep 06 19:11:38 2016 +0200
+++ b/webapp/src/main/webapp/jquery/jquery.digilib.annotator.js	Thu Sep 08 13:56:20 2016 +0200
@@ -351,7 +351,7 @@
         var shapes = [];
         if (data.dlOpts.isAnnotationsVisible) {
             for (var i = 0; i < annotations.length; ++i) {
-                shapes.push(createShape(data, annotations[i]));
+                shapes = shapes.concat(createShape(data, annotations[i]));
             }
         }
         annotationLayer.shapes = shapes;
@@ -365,7 +365,7 @@
      * Create a vector shape for an annotation.
      * 
      * @param annot annotation wrapper object
-     * @returns vector shape object
+     * @returns array of vector shape objects
      */
     var createShape = function (data, annot) {
         if (annot == null || annot.annotation == null)
@@ -387,6 +387,7 @@
         var area = null;
         var type = null;
         var shape = null;
+        var shapes = [];
         if (annotation.areas != null && annotation.shapes == null) {
             console.warn("Annotation uses legacy 'areas' format! Converting...");
             /*
@@ -405,9 +406,14 @@
             delete annotation.areas;
             annotation.shapes = [annoShape];
         }
-        if (annotation.shapes != null) {
+        if (annotation.shapes == null) return;
+        for (var i = 0; i < annotation.shapes.length; ++i) {
+            if (i > 0) {
+                // make shape id unique
+                id = id + "." + i;
+            }
             // annotation shape
-            annoShape = annotation.shapes[0];
+            annoShape = annotation.shapes[i];
             type = annoShape.type;
             if (type === "point") {
                 area = geom.position(annoShape.geometry);
@@ -476,11 +482,9 @@
                 console.error("Unsupported annotation shape type: "+type);
                 return;
             }
-        } else {
-            console.error("Unable to create a shape for this annotation!");
-            return;
+            shapes.push(shape);
         }
-        return shape;
+        return shapes;
     };
     
     /**