Hyrax - User Identification (Authentication)

From OPeNDAP Documentation
Revision as of 18:06, 31 October 2014 by Ndp (talk | contribs) (→‎Apache)
⧼opendap2-jumptonavigation⧽


Overview

This document is intended to help those that have been asked to deploy Hyrax into an environment where authentication of users is required. In many such cases Hyrax will be integrated into an existing instance of the Apache Web server (httpd) where authentication services are already configured and in use. In other cases people will be setting up a standalone instance of Tomcat and will be needing to configure it to use one of the supported authentication services. This document means to address both situations.

Terms

Authentication
This is the process of confirming the identity of the user. The end result is a User ID (uid or UID) which may be accessed by the software components via (both?) the Apache API (mod_*) and the Java ServletAPI (Tomcat servlets) used to trigger authorization policy chains or may be logged along with relevant request information.
Identity Provider (IdP)
Also known as an Identity Assertion Provider an Identity Provider (IdP) is a service that provides authentication and identity information services. An IdP is a kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles.
Service Provider (SP)
A Service Provider (SP) is a Web Service that utilizes an IdP service to determine the identity of it's users. Or more broadly, a role donned by a system entity where the system entity provides services to principals or other system entities.

With respect to this document Hyrax/Tomcat, and Hyrax/Tomcat/Apache each become part of an SP through the installation and configuration of software components such as mod_shib (shibboleth) .

See Service Providers, Identity Providers & Security Token Services explained for more.

Apache

There are many authentication methods available for use with our friend httpd. Each of them may have a unique installation and configuration activity. However in order for the results of the authentication (the uid string) to be correctly transmitted to Tomcat where are some common configuration steps there are a couple of things thtaIn the following subsections we will review how to configure

Tomcat/Hyrax

The AJP connector for the Tomcat instance in which Hyrax is running should be configured as follows: 

    <Connector 
        port="8009" 
        protocol="AJP/1.3" 
        redirectPort="8443" 
        scheme="https"
        address="127.0.0.1" 
        enableLookups="false"  
        tomcatAuthentication="false" 
        />
port
The Connector will listen on port 8009.
protocol
The protocol is AJP/1.3.
redirectPort
Secure redirects on port 8443
scheme
Ensure that scheme is HTTPS
address
The loopback address (127.0.0.1) ensures that only local requests for the connection will be serviced.
enableLookups
um…
tomcatAuthentication
A value of false will allow the Tomcat engine to receive authentication information (the uid and in some cases other attributes) from Apache httpd. A value of true will cause Tomcat to ignore Apache authentication results in favor of it's own.





This demands that the AJP connection be secure and that it can only be accessed from the loopback address - this excludes outside entities from port probing.

LDAP

Shibboleth (mod_shib)

URS OAuth (mod_shib)

Tomcat

==

Retrieved from "https://docs.opendap.org/index.php?title=Hyrax_-_User_Identification_(Authentication)&oldid=10912"