Hyrax - Hyrax + Shibboleth: Difference between revisions

From OPeNDAP Documentation
⧼opendap2-jumptonavigation⧽
Line 21: Line 21:
</source>
</source>


to ''httpd.conf''. This will require users to authenticate to access any part of Hyrax. If you want more fine grained control you may want use multiple ''Location'' elements with different <code>require</code> attributes. For example:
to ''httpd.conf''. This will require users to authenticate to access any part of Hyrax. If you want more fine grained control you may want use multiple <code>Location</code> elements with different <code>require</code> attributes. For example:
   
   
<source lang="apache">
<source lang="apache">
Line 38: Line 38:
</source>
</source>


The first ''Location'' establishes Shibboleth as the authentication tool for the entire ''/opendap'' application path , but does not require a user to be logged in order to access the path. The second ''Location'' element asserts that in order to access the "/opendap/AVHRR" URL path the user must be logged in as a valid user, and because the AuthType is set to shibboleth then that user must therefore be a valid Shibboleth user.
The first <code>Location</code> establishes Shibboleth as the authentication tool for the entire ''/opendap'' application path , but does not require a user to be logged in order to access the path. The second <code>Location</code> element asserts that in order to access the "/opendap/AVHRR" URL path the user must be logged in as a valid user, and because the AuthType is set to shibboleth then that user must therefore be a valid Shibboleth user.


For more examples and better understanding see the [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions Apache Configuration section of the Shibboleth wiki.]
For more examples and better understanding see the [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions Apache Configuration section of the Shibboleth wiki.]

Revision as of 22:30, 24 October 2014


Overview

This document is intended to help those that have been asked to deploy Hyrax into an environment where authentication services are provided by an instance of Shibboleth.

Install and Configure Shibboleth

The Shibboleth wiki provides excellent documentation on how to get Shibboleth authentication services working with Tomcat.

Follow the instructions for a Native Java Install and remember - Hyrax does not use either Spring or Grails.

The Shibboleth instructions should have had you add something like this: 

<Location /opendap>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
</Location>

to httpd.conf. This will require users to authenticate to access any part of Hyrax. If you want more fine grained control you may want use multiple Location elements with different require attributes. For example: 

<Location /opendap>
  AuthType shibboleth
  ShibCompatWith24 On
  require shibboleth
</Location>
<Location /opendap/AVHRR>
  AuthType shibboleth
  ShibCompatWith24 On
  ShibRequestSetting requireSession 1
  require valid-user
</Location>
</apache>

The first Location establishes Shibboleth as the authentication tool for the entire /opendap application path , but does not require a user to be logged in order to access the path. The second Location element asserts that in order to access the "/opendap/AVHRR" URL path the user must be logged in as a valid user, and because the AuthType is set to shibboleth then that user must therefore be a valid Shibboleth user.

For more examples and better understanding see the Apache Configuration section of the Shibboleth wiki.


Retrieved from "https://docs.opendap.org/index.php?title=Hyrax_-_Hyrax_%2B_Shibboleth&oldid=10895"