Hyrax - User Identification (Authentication): Difference between revisions

From OPeNDAP Documentation
⧼opendap2-jumptonavigation⧽
Line 23: Line 23:
There are many authentication methods available for use with our friend ''httpd''.  Each of them may have a unique installation and configuration activity. However in order for the results of the authentication (the ''uid'' string) to be correctly transmitted to Tomcat where are some common configuration steps there are a couple of things thtaIn the following subsections we will review how to configure  
There are many authentication methods available for use with our friend ''httpd''.  Each of them may have a unique installation and configuration activity. However in order for the results of the authentication (the ''uid'' string) to be correctly transmitted to Tomcat where are some common configuration steps there are a couple of things thtaIn the following subsections we will review how to configure  
=== Tomcat/Hyrax ===
=== Tomcat/Hyrax ===
In order for Tomcat/Hyrax to receive authentication information from ''httpd''


The AJP connector for the Tomcat instance in which Hyrax is running should be configured as follows:
The AJP connector for the Tomcat instance in which Hyrax is running should be configured as follows:
Line 57: Line 61:


; tomcatAuthentication
; tomcatAuthentication
: A value of '''false''' will allow the Tomcat engine to receive authentication information (the ''uid'' and in some cases other attributes) from Apache ''httpd''. A value of '''true''' will cause Tomcat to ignore Apache authentication results in favor of it's own.
: A value of '''false''' will allow the Tomcat engine to receive authentication information (the ''uid'' and in some cases other attributes) from Apache ''httpd''. A value of '''true''' will cause Tomcat to ignore Apache authentication results in favor of it's own.
 
 
 
 
 
 
 
 
This demands that the AJP connection be secure and that it can only be accessed from the loopback address - this excludes outside entities from port probing.


=== LDAP ===
=== LDAP ===

Revision as of 18:21, 31 October 2014


Overview

This document is intended to help those that have been asked to deploy Hyrax into an environment where authentication of users is required. In many such cases Hyrax will be integrated into an existing instance of the Apache Web server (httpd) where authentication services are already configured and in use. In other cases people will be setting up a standalone instance of Tomcat and will be needing to configure it to use one of the supported authentication services. This document means to address both situations.

Terms

Authentication
This is the process of confirming the identity of the user. The end result is a User ID (uid or UID) which may be accessed by the software components via (both?) the Apache API (mod_*) and the Java ServletAPI (Tomcat servlets) used to trigger authorization policy chains or may be logged along with relevant request information.
Identity Provider (IdP)
Also known as an Identity Assertion Provider an Identity Provider (IdP) is a service that provides authentication and identity information services. An IdP is a kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles.
Service Provider (SP)
A Service Provider (SP) is a Web Service that utilizes an IdP service to determine the identity of it's users. Or more broadly, a role donned by a system entity where the system entity provides services to principals or other system entities.

With respect to this document Hyrax/Tomcat, and Hyrax/Tomcat/Apache each become part of an SP through the installation and configuration of software components such as mod_shib (shibboleth) .

See Service Providers, Identity Providers & Security Token Services explained for more.

Apache

There are many authentication methods available for use with our friend httpd. Each of them may have a unique installation and configuration activity. However in order for the results of the authentication (the uid string) to be correctly transmitted to Tomcat where are some common configuration steps there are a couple of things thtaIn the following subsections we will review how to configure

Tomcat/Hyrax

In order for Tomcat/Hyrax to receive authentication information from httpd


The AJP connector for the Tomcat instance in which Hyrax is running should be configured as follows: 

    <Connector 
        port="8009" 
        protocol="AJP/1.3" 
        redirectPort="8443" 
        scheme="https"
        address="127.0.0.1" 
        enableLookups="false"  
        tomcatAuthentication="false" 
        />
port
The Connector will listen on port 8009.
protocol
The protocol is AJP/1.3.
redirectPort
Secure redirects on port 8443
scheme
Ensure that scheme is HTTPS
address
The loopback address (127.0.0.1) ensures that only local requests for the connection will be serviced.
enableLookups
A value of true enable DNS look ups so that the Servlet API call HttpServletRequest.getRemoteHost() returns a host name and not an IP address. Set this to false to improve performance.
tomcatAuthentication
A value of false will allow the Tomcat engine to receive authentication information (the uid and in some cases other attributes) from Apache httpd. A value of true will cause Tomcat to ignore Apache authentication results in favor of it's own.

LDAP

Shibboleth (mod_shib)

URS OAuth (mod_shib)

Tomcat

==

Retrieved from "https://docs.opendap.org/index.php?title=Hyrax_-_User_Identification_(Authentication)&oldid=10914"