Hyrax - Hyrax + Shibboleth: Difference between revisions

From OPeNDAP Documentation
⧼opendap2-jumptonavigation⧽
(Created page with " == Overview == This document is intended to help those that have been asked to deploy Hyrax into an environment where authentication services are provided by an instance of...")
 
Line 10: Line 10:


[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall Follow the instructions for a Native Java Install] and remember - Hyrax does not use either Spring or Grails.
[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall Follow the instructions for a Native Java Install] and remember - Hyrax does not use either Spring or Grails.
The Shibboleth instructions should have had you add something like this:
<source lang="apache">
<Location /opendap>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
</Location>
</source>
to ''httpd.conf''. This will require users to authenticate to access any part of Hyrax. If you want a more fine grained control you may want use multiple ''Location'' elements with different requires attributes. For example:
<source lang="apache">
<Location /opendap>
  AuthType shibboleth
  ShibCompatWith24 On
  require shibboleth
</Location>
<Location /opendap/AVHRR>
  AuthType shibboleth
  ShibCompatWith24 On
  ShibRequestSetting requireSession 1
  require valid-user
</Location>
</apache>
</source>
The first ''Location'' establishes Shibboleth as the authentication tool for the entire ''/opendap'' application path , but does not require a user to be logged in order to access the path. The second ''Location'' element asserts that in order to access the "/opendap/AVHRR" URL path the user must be logged in as a valid user, and because the AuthType is set to shibboleth then that user must therefore be a valid Shibboleth user.
For more examples and better understanding see the [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions Apache Configuration section of the Shibboleth wiki.]


<!--
<!--
== Hyrax Managed Access ==
== Hyrax Managed Access ==


In order for the Hyrax Managed Access to work correctly you will need to alter the Apache security constraint for the Hyrax Web Application. The Shibboleth wiki example would have had you adda something like this:
In order for the Hyrax Managed Access to work correctly you will need to alter the Apache security constraint for the Hyrax Web Application. The Shibboleth wiki example would have had you add something like this:


<source lang="apache">
<source lang="apache">
Line 24: Line 55:
</source>
</source>


to ''httpd.conf'', which places Apache in full control of the authentication process. Hyrax Managed Access needs to have have some of that control. In the follow example the first ''Location'' establishes Shibboleth as the authentication tool for the entire ''/opendap'' application path , but does not require a user to be logged in order to access the path. The second ''Location'' element establishes an endpoint for Hyrax Managed Access to initiate Shibboleth authentication for the user.
to ''httpd.conf'', which places Apache in full control of the authentication process. Hyrax Managed Access needs to have some of that control. In the follow example the first ''Location'' establishes Shibboleth as the authentication tool for the entire ''/opendap'' application path , but does not require a user to be logged in order to access the path. The second ''Location'' element establishes an endpoint for Hyrax Managed Access to initiate Shibboleth authentication for the user, this example shows the value of the Location element set to the default login context for the opendap.auth.ShibbolethIdP class. If a custom login context is specified in the Hyrax configuration the the values of this second ''Location'' must be changed to reflect the Hyrax configuration.


   
   

Revision as of 21:32, 24 October 2014


Overview

This document is intended to help those that have been asked to deploy Hyrax into an environment where authentication services are provided by an instance of Shibboleth.

Install and Configure Shibboleth

The Shibboleth wiki provides excellent documentation on how to get Shibboleth authentication services working with Tomcat.

Follow the instructions for a Native Java Install and remember - Hyrax does not use either Spring or Grails.

The Shibboleth instructions should have had you add something like this: 

<Location /opendap>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
</Location>

to httpd.conf. This will require users to authenticate to access any part of Hyrax. If you want a more fine grained control you may want use multiple Location elements with different requires attributes. For example: 

<Location /opendap>
  AuthType shibboleth
  ShibCompatWith24 On
  require shibboleth
</Location>
<Location /opendap/AVHRR>
  AuthType shibboleth
  ShibCompatWith24 On
  ShibRequestSetting requireSession 1
  require valid-user
</Location>
</apache>

The first Location establishes Shibboleth as the authentication tool for the entire /opendap application path , but does not require a user to be logged in order to access the path. The second Location element asserts that in order to access the "/opendap/AVHRR" URL path the user must be logged in as a valid user, and because the AuthType is set to shibboleth then that user must therefore be a valid Shibboleth user.

For more examples and better understanding see the Apache Configuration section of the Shibboleth wiki.


Retrieved from "https://docs.opendap.org/index.php?title=Hyrax_-_Hyrax_%2B_Shibboleth&oldid=10892"