Hyrax - User Identification (Authentication): Difference between revisions
Line 23: | Line 23: | ||
There are many authentication methods available for use with our friend ''httpd''. Each of them may have a unique installation and configuration activity. However in order for the results of the authentication (the ''uid'' string) to be correctly transmitted to Tomcat where are some common configuration steps there are a couple of things thtaIn the following subsections we will review how to configure | There are many authentication methods available for use with our friend ''httpd''. Each of them may have a unique installation and configuration activity. However in order for the results of the authentication (the ''uid'' string) to be correctly transmitted to Tomcat where are some common configuration steps there are a couple of things thtaIn the following subsections we will review how to configure | ||
=== Tomcat/Hyrax === | === Tomcat/Hyrax === | ||
In order for Tomcat/Hyrax to receive authentication information from ''httpd'' | |||
The AJP connector for the Tomcat instance in which Hyrax is running should be configured as follows: | The AJP connector for the Tomcat instance in which Hyrax is running should be configured as follows: | ||
Line 57: | Line 61: | ||
; tomcatAuthentication | ; tomcatAuthentication | ||
: A value of '''false''' will allow the Tomcat engine to receive authentication information (the ''uid'' and in some cases other attributes) from Apache ''httpd''. A value of '''true''' will cause Tomcat to ignore Apache authentication results in favor of it's own | : A value of '''false''' will allow the Tomcat engine to receive authentication information (the ''uid'' and in some cases other attributes) from Apache ''httpd''. A value of '''true''' will cause Tomcat to ignore Apache authentication results in favor of it's own. | ||
=== LDAP === | === LDAP === |
Revision as of 18:21, 31 October 2014
Overview
This document is intended to help those that have been asked to deploy Hyrax into an environment where authentication of users is required. In many such cases Hyrax will be integrated into an existing instance of the Apache Web server (httpd) where authentication services are already configured and in use. In other cases people will be setting up a standalone instance of Tomcat and will be needing to configure it to use one of the supported authentication services. This document means to address both situations.
Terms
- Authentication
- This is the process of confirming the identity of the user. The end result is a User ID (uid or UID) which may be accessed by the software components via (both?) the Apache API (mod_*) and the Java ServletAPI (Tomcat servlets) used to trigger authorization policy chains or may be logged along with relevant request information.
- Identity Provider (IdP)
- Also known as an Identity Assertion Provider an Identity Provider (IdP) is a service that provides authentication and identity information services. An IdP is a kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles.
- Service Provider (SP)
- A Service Provider (SP) is a Web Service that utilizes an IdP service to determine the identity of it's users. Or more broadly, a role donned by a system entity where the system entity provides services to principals or other system entities.
With respect to this document Hyrax/Tomcat, and Hyrax/Tomcat/Apache each become part of an SP through the installation and configuration of software components such as mod_shib (shibboleth) .
See Service Providers, Identity Providers & Security Token Services explained for more.
Apache
There are many authentication methods available for use with our friend httpd. Each of them may have a unique installation and configuration activity. However in order for the results of the authentication (the uid string) to be correctly transmitted to Tomcat where are some common configuration steps there are a couple of things thtaIn the following subsections we will review how to configure
Tomcat/Hyrax
In order for Tomcat/Hyrax to receive authentication information from httpd
The AJP connector for the Tomcat instance in which Hyrax is running should be configured as follows:
<Connector
port="8009"
protocol="AJP/1.3"
redirectPort="8443"
scheme="https"
address="127.0.0.1"
enableLookups="false"
tomcatAuthentication="false"
/>
- port
- The Connector will listen on port 8009.
- protocol
- The protocol is AJP/1.3.
- redirectPort
- Secure redirects on port 8443
- scheme
- Ensure that scheme is HTTPS
- address
- The loopback address (127.0.0.1) ensures that only local requests for the connection will be serviced.
- enableLookups
- A value of true enable DNS look ups so that the Servlet API call HttpServletRequest.getRemoteHost() returns a host name and not an IP address. Set this to false to improve performance.
- tomcatAuthentication
- A value of false will allow the Tomcat engine to receive authentication information (the uid and in some cases other attributes) from Apache httpd. A value of true will cause Tomcat to ignore Apache authentication results in favor of it's own.
LDAP
Shibboleth (mod_shib)
URS OAuth (mod_shib)
Tomcat
==