Re: [dspace-tech] ip authentication, how do I log in?

2017-10-04 Thread Tim Donohue 
Hi Paul,

Yes, it should "just work".  As Claudia also noted, it'd be useful to know
what version of DSpace you are running (as I vaguely recall a few versions
had bugs in the IP auth at times).

Regarding the user's group, if you are expecting the user to appear as a
member of the Group in the Admin UI (via the Group Edit tools), that
actually will not happen. When using IP Auth, the user is only a temporary
Group member based on their current session (i.e. they are only a member
within their specific session and after their session ends, the user is no
longer a member of that group)

So, as Claudia notes/implies, the ways to tell this is working are:
* Check if the permissions given to the group are applied when you access
the site from the given IP address (sounds like you tried this though)
* Or, actually login/authenticate (from the IP address) and check the
user's profile (My DSpace) page to see if the Group is listed there. This
is only visible for logged in users though, and won't be visible to
anonymous users.

- Tim

On Wed, Oct 4, 2017 at 2:33 AM Paul Warner  wrote:

> Dear Tim,
>
> Thanks for your reply.  What you describe is exactly what we need.  I can
> see my use of the phrase 'logging in' was misleading.  I have everything
> set up to verify ip authentication/authorization, as far as I know.  But
> when I come to my dspace in the browser, and it is clear from the log that
> dspace knows the ip address, and it matches what is in
> authentication-ip.cfg, it still does not put the user in the desired group
> or give the user permission to listen to the audio files.  It sounds, from
> your email, that this is supposed to just work, one does not need to do
> anything more than come to the site from the designated ip address, in
> order to have access to the files.
>
> Originally I thought that perhaps the authentication module was not
> getting the right ip address, since I am using apache in front of tomcat,
> but then I found that the module has this built in, when you uncomment
> useProxies = true in the dspace.cfg.  And having done that, I can see the
> ip in the dspace log file.  But the user still does not land in the right
> group...
>
> Best regards,
> Paul
>
>
> On Tue, Oct 3, 2017 at 4:21 PM, Tim Donohue 
> wrote:
>
>> Hi Paul,
>>
>> IP Authentication is a slight misnomer.  It's not truly *authentication*
>> but rather *authorization*.  So, you don't need to login at all, but you
>> are provided specific access rights based on your IP address.
>>
>> So, the point of IP Auth is that you are essentially "mapping" specific
>> IP addresses or ranges to specific DSpace Groups.  Anyone who accesses your
>> site from those IP addresses (even anonymously) will be added to that
>> DSpace Group for the remainder of their session.  You can then use that
>> DSpace Group to assign those users specific access rights.
>>
>> One example use case for IP Auth is to provide access to all University
>> Theses & Dissertations while on campus (or while in the University
>> Library).  In such a scenario, the Theses & Dissertations may be access
>> restricted to downloading/viewing to the general public, but if a user
>> visits your site from an on-campus IP address, they can download/view the
>> files without logging in.
>>
>> I hope that helps clarify the purpose of IP Auth!
>>
>> Tim
>>
>> On Mon, Oct 2, 2017 at 5:11 AM Paul Warner  wrote:
>>
>>> Hi,
>>>
>>> I have set up ip authentication using apache as a proxy front end for
>>> tomcat. The log is seeing the ip address, so it is being correctly passed
>>> through from apache to tomcat, and correctly read by dspace.  But it is not
>>> logging me in to the group.  My question is, how do I log in?  If I have ip
>>> authentication stacked with password authentication, when I click the login
>>> button in the top menu on the jspui, I go to the password login page.  If I
>>> remove password login from the list in authentication.cfg and have only ip
>>> authentication, then when I click the login button I get a page with no
>>> form elements at all, nothing.  And, as I said, I am not being logged in to
>>> the group automatically.
>>>
>>> Thanks for any hints or tips!
>>>
>>> Best regards,
>>> Paul
>>>
>>> dspace 6.1 on Suse 12.2, tomcat 8 and apache 2.4.23
>>>
>>> Here is the log entry:
>>>
>>> 2017-10-02 11:55:00,242 INFO  org.dspace.usage.LoggerUsageEventListener
>>> @ anonymous:session_id=50601B9E86D5FEC0FC1173927BAF8DA6:ip_addr=1.2.3.4:
>>> view_item:handle=123456789/46
>>>
>>> I have configured dspace so:
>>>
>>> from dspace.cfg
>>>
>>>  Proxy Settings
>>> ##
>>>
>>> # uncomment and specify both properties if proxy server
>>> required
>>>
>>> # proxy server for external http requests - use regular hostname without
>>> port
>>> number
>>>
>>> http.proxy.host = localhost
>>>
>>> # port number of proxy
>>> server
>>>
>>> http.proxy.port = 443
>>>
>>> # If enabled, the logging and

Re: [dspace-tech] ip authentication, how do I log in?

2017-10-04 Thread Claudia Jürgen 

Hello Paul,

btw. with which version an UI are you working?

We are using IP based authentication for campus restriced material and
it works fine (5.x, jspui).
Having stacked IP Authentication in
dspace/config/modules/authentication.cfg
like
plugin.sequence.org.dspace.authenticate.AuthenticationMethod = \
org.dspace.authenticate.PasswordAuthentication, \
org.dspace.authenticate.IPAuthentication

and adding matching the ip to the group in
dspace/config/modules/authentication-ip.cfg
like
ip.Campus\ Group = [some ip pattern]

works fine, assuming the resources got the right resource policies.
(Note, if you got a blank in your group name you got to escape it with \)

One easy test to see, whether a user is added to this group is setting
dspace/config/dspace.cfg
webui.mydspace.showgroupmemberships = true
(defaults to false)
This will show list of all the groups on the my dspace page of a user.

If the user is added to the group and still can not access a resource,
check the resource policies.

Hope this helps

Claudia Jürgen



Am 04.10.2017 um 09:33 schrieb Paul Warner:

Dear Tim,

Thanks for your reply.  What you describe is exactly what we need.  I can
see my use of the phrase 'logging in' was misleading.  I have everything
set up to verify ip authentication/authorization, as far as I know.  But
when I come to my dspace in the browser, and it is clear from the log that
dspace knows the ip address, and it matches what is in
authentication-ip.cfg, it still does not put the user in the desired group
or give the user permission to listen to the audio files.  It sounds, from
your email, that this is supposed to just work, one does not need to do
anything more than come to the site from the designated ip address, in
order to have access to the files.

Originally I thought that perhaps the authentication module was not getting
the right ip address, since I am using apache in front of tomcat, but then
I found that the module has this built in, when you uncomment useProxies =
true in the dspace.cfg.  And having done that, I can see the ip in the
dspace log file.  But the user still does not land in the right group...

Best regards,
Paul


On Tue, Oct 3, 2017 at 4:21 PM, Tim Donohue  wrote:


Hi Paul,

IP Authentication is a slight misnomer.  It's not truly *authentication*
but rather *authorization*.  So, you don't need to login at all, but you
are provided specific access rights based on your IP address.

So, the point of IP Auth is that you are essentially "mapping" specific IP
addresses or ranges to specific DSpace Groups.  Anyone who accesses your
site from those IP addresses (even anonymously) will be added to that
DSpace Group for the remainder of their session.  You can then use that
DSpace Group to assign those users specific access rights.

One example use case for IP Auth is to provide access to all University
Theses & Dissertations while on campus (or while in the University
Library).  In such a scenario, the Theses & Dissertations may be access
restricted to downloading/viewing to the general public, but if a user
visits your site from an on-campus IP address, they can download/view the
files without logging in.

I hope that helps clarify the purpose of IP Auth!

Tim

On Mon, Oct 2, 2017 at 5:11 AM Paul Warner  wrote:


Hi,

I have set up ip authentication using apache as a proxy front end for
tomcat. The log is seeing the ip address, so it is being correctly passed
through from apache to tomcat, and correctly read by dspace.  But it is not
logging me in to the group.  My question is, how do I log in?  If I have ip
authentication stacked with password authentication, when I click the login
button in the top menu on the jspui, I go to the password login page.  If I
remove password login from the list in authentication.cfg and have only ip
authentication, then when I click the login button I get a page with no
form elements at all, nothing.  And, as I said, I am not being logged in to
the group automatically.

Thanks for any hints or tips!

Best regards,
Paul

dspace 6.1 on Suse 12.2, tomcat 8 and apache 2.4.23

Here is the log entry:

2017-10-02 11:55:00,242 INFO  org.dspace.usage.LoggerUsageEventListener
@ anonymous:session_id=50601B9E86D5FEC0FC1173927BAF8DA6:ip_addr=1.2.3.4:
view_item:handle=123456789/46

I have configured dspace so:

from dspace.cfg

 Proxy Settings ##


# uncomment and specify both properties if proxy server
required

# proxy server for external http requests - use regular hostname without
port number

http.proxy.host = localhost

# port number of proxy server


http.proxy.port = 443

# If enabled, the logging and the Solr statistics system will look
for

# an X-Forwarded-For header. If it finds it, it will use this for the
user IP address

useProxies = true

from authentication.cfg

plugin.sequence.org.dspace.authenticate.AuthenticationMethod =
org.dspace.authenticate.IPAuthentication,org.dspace.authenticate.

Re: [dspace-tech] ip authentication, how do I log in?

2017-10-04 Thread Paul Warner 
Dear Tim,

Thanks for your reply.  What you describe is exactly what we need.  I can
see my use of the phrase 'logging in' was misleading.  I have everything
set up to verify ip authentication/authorization, as far as I know.  But
when I come to my dspace in the browser, and it is clear from the log that
dspace knows the ip address, and it matches what is in
authentication-ip.cfg, it still does not put the user in the desired group
or give the user permission to listen to the audio files.  It sounds, from
your email, that this is supposed to just work, one does not need to do
anything more than come to the site from the designated ip address, in
order to have access to the files.

Originally I thought that perhaps the authentication module was not getting
the right ip address, since I am using apache in front of tomcat, but then
I found that the module has this built in, when you uncomment useProxies =
true in the dspace.cfg.  And having done that, I can see the ip in the
dspace log file.  But the user still does not land in the right group...

Best regards,
Paul


On Tue, Oct 3, 2017 at 4:21 PM, Tim Donohue  wrote:

> Hi Paul,
>
> IP Authentication is a slight misnomer.  It's not truly *authentication*
> but rather *authorization*.  So, you don't need to login at all, but you
> are provided specific access rights based on your IP address.
>
> So, the point of IP Auth is that you are essentially "mapping" specific IP
> addresses or ranges to specific DSpace Groups.  Anyone who accesses your
> site from those IP addresses (even anonymously) will be added to that
> DSpace Group for the remainder of their session.  You can then use that
> DSpace Group to assign those users specific access rights.
>
> One example use case for IP Auth is to provide access to all University
> Theses & Dissertations while on campus (or while in the University
> Library).  In such a scenario, the Theses & Dissertations may be access
> restricted to downloading/viewing to the general public, but if a user
> visits your site from an on-campus IP address, they can download/view the
> files without logging in.
>
> I hope that helps clarify the purpose of IP Auth!
>
> Tim
>
> On Mon, Oct 2, 2017 at 5:11 AM Paul Warner  wrote:
>
>> Hi,
>>
>> I have set up ip authentication using apache as a proxy front end for
>> tomcat. The log is seeing the ip address, so it is being correctly passed
>> through from apache to tomcat, and correctly read by dspace.  But it is not
>> logging me in to the group.  My question is, how do I log in?  If I have ip
>> authentication stacked with password authentication, when I click the login
>> button in the top menu on the jspui, I go to the password login page.  If I
>> remove password login from the list in authentication.cfg and have only ip
>> authentication, then when I click the login button I get a page with no
>> form elements at all, nothing.  And, as I said, I am not being logged in to
>> the group automatically.
>>
>> Thanks for any hints or tips!
>>
>> Best regards,
>> Paul
>>
>> dspace 6.1 on Suse 12.2, tomcat 8 and apache 2.4.23
>>
>> Here is the log entry:
>>
>> 2017-10-02 11:55:00,242 INFO  org.dspace.usage.LoggerUsageEventListener
>> @ anonymous:session_id=50601B9E86D5FEC0FC1173927BAF8DA6:ip_addr=1.2.3.4:
>> view_item:handle=123456789/46
>>
>> I have configured dspace so:
>>
>> from dspace.cfg
>>
>>  Proxy Settings ##
>>
>>
>> # uncomment and specify both properties if proxy server
>> required
>>
>> # proxy server for external http requests - use regular hostname without
>> port number
>>
>> http.proxy.host = localhost
>>
>> # port number of proxy server
>>
>>
>> http.proxy.port = 443
>>
>> # If enabled, the logging and the Solr statistics system will look
>> for
>>
>> # an X-Forwarded-For header. If it finds it, it will use this for the
>> user IP address
>>
>> useProxies = true
>>
>> from authentication.cfg
>>
>> plugin.sequence.org.dspace.authenticate.AuthenticationMethod =
>> org.dspace.authenticate.IPAuthentication,org.dspace.authenticate.
>> PasswordAuthentication
>>
>> from authentication-ip.cfg
>>
>> authentication-ip.Hochschule_Bibliothek = 1.2.3.4
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "DSpace Technical Support" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to dspace-tech+unsubscr...@googlegroups.com.
>> To post to this group, send email to dspace-tech@googlegroups.com.
>> Visit this group at https://groups.google.com/group/dspace-tech.
>> For more options, visit https://groups.google.com/d/optout.
>>
> --
>
> Tim Donohue
> Technical Lead for DSpace & DSpaceDirect
> DuraSpace.org | DSpace.org | DSpaceDirect.org
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to

Re: [dspace-tech] ip authentication, how do I log in?

2017-10-03 Thread Tim Donohue 
Hi Paul,

IP Authentication is a slight misnomer.  It's not truly *authentication*
but rather *authorization*.  So, you don't need to login at all, but you
are provided specific access rights based on your IP address.

So, the point of IP Auth is that you are essentially "mapping" specific IP
addresses or ranges to specific DSpace Groups.  Anyone who accesses your
site from those IP addresses (even anonymously) will be added to that
DSpace Group for the remainder of their session.  You can then use that
DSpace Group to assign those users specific access rights.

One example use case for IP Auth is to provide access to all University
Theses & Dissertations while on campus (or while in the University
Library).  In such a scenario, the Theses & Dissertations may be access
restricted to downloading/viewing to the general public, but if a user
visits your site from an on-campus IP address, they can download/view the
files without logging in.

I hope that helps clarify the purpose of IP Auth!

Tim

On Mon, Oct 2, 2017 at 5:11 AM Paul Warner  wrote:

> Hi,
>
> I have set up ip authentication using apache as a proxy front end for
> tomcat. The log is seeing the ip address, so it is being correctly passed
> through from apache to tomcat, and correctly read by dspace.  But it is not
> logging me in to the group.  My question is, how do I log in?  If I have ip
> authentication stacked with password authentication, when I click the login
> button in the top menu on the jspui, I go to the password login page.  If I
> remove password login from the list in authentication.cfg and have only ip
> authentication, then when I click the login button I get a page with no
> form elements at all, nothing.  And, as I said, I am not being logged in to
> the group automatically.
>
> Thanks for any hints or tips!
>
> Best regards,
> Paul
>
> dspace 6.1 on Suse 12.2, tomcat 8 and apache 2.4.23
>
> Here is the log entry:
>
> 2017-10-02 11:55:00,242 INFO  org.dspace.usage.LoggerUsageEventListener @
> anonymous:session_id=50601B9E86D5FEC0FC1173927BAF8DA6:ip_addr=1.2.3.4:
> view_item:handle=123456789/46
>
> I have configured dspace so:
>
> from dspace.cfg
>
>  Proxy Settings
> ##
>
> # uncomment and specify both properties if proxy server
> required
>
> # proxy server for external http requests - use regular hostname without
> port
> number
>
> http.proxy.host = localhost
>
> # port number of proxy
> server
>
> http.proxy.port = 443
>
> # If enabled, the logging and the Solr statistics system will look
> for
>
> # an X-Forwarded-For header. If it finds it, it will use this for the user
> IP
> address
>
> useProxies = true
>
> from authentication.cfg
>
> plugin.sequence.org.dspace.authenticate.AuthenticationMethod =
> org.dspace.authenticate.IPAuthentication,org.dspace.authenticate.PasswordAuthentication
>
> from authentication-ip.cfg
>
> authentication-ip.Hochschule_Bibliothek = 1.2.3.4
>
> --
> You received this message because you are subscribed to the Google Groups
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dspace-tech+unsubscr...@googlegroups.com.
> To post to this group, send email to dspace-tech@googlegroups.com.
> Visit this group at https://groups.google.com/group/dspace-tech.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

Tim Donohue
Technical Lead for DSpace & DSpaceDirect
DuraSpace.org | DSpace.org | DSpaceDirect.org

-- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.