Hyrax - Hyrax + Shibboleth: Difference between revisions
Line 21: | Line 21: | ||
</source> | </source> | ||
to ''httpd.conf''. This will require users to authenticate to access any part of Hyrax. If you want more fine grained control you may want use multiple | to ''httpd.conf''. This will require users to authenticate to access any part of Hyrax. If you want more fine grained control you may want use multiple <code>Location</code> elements with different <code>require</code> attributes. For example: | ||
<source lang="apache"> | <source lang="apache"> | ||
Line 38: | Line 38: | ||
</source> | </source> | ||
The first | The first <code>Location</code> establishes Shibboleth as the authentication tool for the entire ''/opendap'' application path , but does not require a user to be logged in order to access the path. The second <code>Location</code> element asserts that in order to access the "/opendap/AVHRR" URL path the user must be logged in as a valid user, and because the AuthType is set to shibboleth then that user must therefore be a valid Shibboleth user. | ||
For more examples and better understanding see the [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions Apache Configuration section of the Shibboleth wiki.] | For more examples and better understanding see the [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-AuthConfigOptions Apache Configuration section of the Shibboleth wiki.] |
Revision as of 22:30, 24 October 2014
Overview
This document is intended to help those that have been asked to deploy Hyrax into an environment where authentication services are provided by an instance of Shibboleth.
Install and Configure Shibboleth
The Shibboleth wiki provides excellent documentation on how to get Shibboleth authentication services working with Tomcat.
Follow the instructions for a Native Java Install and remember - Hyrax does not use either Spring or Grails.
The Shibboleth instructions should have had you add something like this:
<Location /opendap>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
to httpd.conf. This will require users to authenticate to access any part of Hyrax. If you want more fine grained control you may want use multiple Location
elements with different require
attributes. For example:
<Location /opendap>
AuthType shibboleth
ShibCompatWith24 On
require shibboleth
</Location>
<Location /opendap/AVHRR>
AuthType shibboleth
ShibCompatWith24 On
ShibRequestSetting requireSession 1
require valid-user
</Location>
</apache>
The first Location
establishes Shibboleth as the authentication tool for the entire /opendap application path , but does not require a user to be logged in order to access the path. The second Location
element asserts that in order to access the "/opendap/AVHRR" URL path the user must be logged in as a valid user, and because the AuthType is set to shibboleth then that user must therefore be a valid Shibboleth user.
For more examples and better understanding see the Apache Configuration section of the Shibboleth wiki.