Re: [Dspace-tech] work around authentication mechanism RESOLVED
In case anyone else has to do this, what I ended up doing was copy out the needed bitstream paths to the filesystem, and present them with a standard apache httpd with .htaccess settings for access control based on originating ip-address or basic authentication. On 28/09/2009, at 5:05 PM, Van Ly wrote: > Hi, > > I've a need to completely disable DSpace authenticated access and > use instead iptables(8) for restricting access based on ip-address. > Does anybody know the easiest way to achieve this? > > Thanks in advance. > > -- Van Ly > > On 23/09/2009, at 10:02 AM, Van Ly wrote: > >> Thanks Larry. >> >> The desired behavior I'm wanting is for the web browser to ask for >> credentials under `basic authentication' in rfc2617. The installed >> settings handles a http `GET' request with credentials as >> expected. Without credentials, rather than doing [x] it does [y]. >> >> Originally, had I needed, I had in mind to strip DSpace naked (ie. >> without authentication) and as a temporary fix use `iptables(8)' >> to control access based on IP. >> >> But really, whether the browser or the page prompts for >> credentials is a cosmetic issue as long as the link is trusted. >> >> 8< [snipped] >> >> -- # [x] `401' points to the web browser's sign-on, expected >> behaviour by end-user >> 0.000478 num.num.num.103 -> num.num.num.56 HTTP GET / >> basicAuthTest/ HTTP/1.1 >> 0.000523 num.num.num.56 -> num.num.num.103 TCP http > 54837 >> [ACK] Seq=1 Ack=576 Win=7040 Len=0 TSV=1837843610 TSER=1974179631 >> 0.002128 num.num.num.56 -> num.num.num.103 HTTP HTTP/1.1 401 >> Authorization Required (text/html) >> >> -- # [y] unexpected behaviour >> 0.000550 num.num.num.103 -> num.num.num.4 HTTP GET /bitstream/ >> num/num/1/External.pdf HTTP/1.1 >> 0.000634 num.num.num.4 -> num.num.num.103 TCP http > 54862 >> [ACK] Seq=1 Ack=601 Win=7040 Len=0 TSV=2843474683 TSER=1974184374 >> 0.047864 num.num.num.4 -> num.num.num.103 HTTP HTTP/1.1 302 >> Moved Temporarily >> >> -- #[y'] `302' points to the DSpace sign-on >> num.num.num.103 - - [22/Sep/2009:17:04:12 +1000] "GET /bitstream/ >> num/num/1/External.pdf HTTP/1.1" 302 - >> num.num.num.103 - - [22/Sep/2009:17:04:12 +1000] "GET /password- >> login HTTP/1.1" 200 4743 >> Van Ly vly at usyd dot edu dot au -- Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
Re: [Dspace-tech] work around authentication mechanism
Hi, I've a need to completely disable DSpace authenticated access and use instead iptables(8) for restricting access based on ip-address. Does anybody know the easiest way to achieve this? Thanks in advance. -- Van Ly On 23/09/2009, at 10:02 AM, Van Ly wrote: > Thanks Larry. > > The desired behavior I'm wanting is for the web browser to ask for > credentials under `basic authentication' in rfc2617. The installed > settings handles a http `GET' request with credentials as expected. > Without credentials, rather than doing [x] it does [y]. > > Originally, had I needed, I had in mind to strip DSpace naked (ie. > without authentication) and as a temporary fix use `iptables(8)' to > control access based on IP. > > But really, whether the browser or the page prompts for credentials > is a cosmetic issue as long as the link is trusted. > > Best wishes, > > Van Ly > vly at usyd dot edu dot au > > -- # [x] `401' points to the web browser's sign-on, expected > behaviour by end-user > 0.000478 num.num.num.103 -> num.num.num.56 HTTP GET / > basicAuthTest/ HTTP/1.1 > 0.000523 num.num.num.56 -> num.num.num.103 TCP http > 54837 [ACK] > Seq=1 Ack=576 Win=7040 Len=0 TSV=1837843610 TSER=1974179631 > 0.002128 num.num.num.56 -> num.num.num.103 HTTP HTTP/1.1 401 > Authorization Required (text/html) > > -- # [y] unexpected behaviour > 0.000550 num.num.num.103 -> num.num.num.4 HTTP GET /bitstream/ > num/num/1/External.pdf HTTP/1.1 > 0.000634 num.num.num.4 -> num.num.num.103 TCP http > 54862 [ACK] > Seq=1 Ack=601 Win=7040 Len=0 TSV=2843474683 TSER=1974184374 > 0.047864 num.num.num.4 -> num.num.num.103 HTTP HTTP/1.1 302 > Moved Temporarily > > -- #[y'] `302' points to the DSpace sign-on > num.num.num.103 - - [22/Sep/2009:17:04:12 +1000] "GET /bitstream/ > num/num/1/External.pdf HTTP/1.1" 302 - > num.num.num.103 - - [22/Sep/2009:17:04:12 +1000] "GET /password- > login HTTP/1.1" 200 4743 > > On 11/09/2009, at 12:36 PM, Larry Stone wrote: > >> If you just want to deny all access based on the requestor's IP >> address, that is best done in the web server or servlet >> container. If you're using "naked" Tomcat, see the doc for >> org.apache.catalina.valves.RemoteAddrValve. If you're using >> Apache httpd it's very easy to configure, just see the server docs. >> >> -- Larry >> >> On Sep 10, 2009, at 9:50 PM, Van Ly wrote: >> >>> >>> Hi, >>> >>> I may have a situation where one of the items in the list for >>> `plugin.sequence.org.dspace.eperson.AuthenticationMethod' isn't >>> behaving as expected. >>> >>> To work around, if I need to put up a firewall to restrict access >>> based on ip-address and bypass the authentication mechanism >>> entirely, >>> what would be a way? >>> >>> Thanks in advance. >>> >>> Van Ly >>> vly at usyd dot edu dot au >>> >>> >>> >>> >>> >>> >>> -- >>> Let Crystal Reports handle the reporting - Free Crystal Reports >>> 2008 30-Day >>> trial. Simplify your report design, integration and deployment - >>> and focus on >>> what you do best, core application coding. Discover what's new with >>> Crystal Reports now. http://p.sf.net/sfu/bobj-july >>> ___ >>> DSpace-tech mailing list >>> DSpace-tech@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/dspace-tech >> > > > > > > Van Ly vly at usyd dot edu dot au -- Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
Re: [Dspace-tech] work around authentication mechanism
Thanks Larry. The desired behavior I'm wanting is for the web browser to ask for credentials under `basic authentication' in rfc2617. The installed settings handles a http `GET' request with credentials as expected. Without credentials, rather than doing [x] it does [y]. Originally, had I needed, I had in mind to strip DSpace naked (ie. without authentication) and as a temporary fix use `iptables(8)' to control access based on IP. But really, whether the browser or the page prompts for credentials is a cosmetic issue as long as the link is trusted. Best wishes, Van Ly vly at usyd dot edu dot au -- # [x] `401' points to the web browser's sign-on, expected behaviour by end-user 0.000478 num.num.num.103 -> num.num.num.56 HTTP GET / basicAuthTest/ HTTP/1.1 0.000523 num.num.num.56 -> num.num.num.103 TCP http > 54837 [ACK] Seq=1 Ack=576 Win=7040 Len=0 TSV=1837843610 TSER=1974179631 0.002128 num.num.num.56 -> num.num.num.103 HTTP HTTP/1.1 401 Authorization Required (text/html) -- # [y] unexpected behaviour 0.000550 num.num.num.103 -> num.num.num.4 HTTP GET /bitstream/num/ num/1/External.pdf HTTP/1.1 0.000634 num.num.num.4 -> num.num.num.103 TCP http > 54862 [ACK] Seq=1 Ack=601 Win=7040 Len=0 TSV=2843474683 TSER=1974184374 0.047864 num.num.num.4 -> num.num.num.103 HTTP HTTP/1.1 302 Moved Temporarily -- #[y'] `302' points to the DSpace sign-on num.num.num.103 - - [22/Sep/2009:17:04:12 +1000] "GET /bitstream/num/ num/1/External.pdf HTTP/1.1" 302 - num.num.num.103 - - [22/Sep/2009:17:04:12 +1000] "GET /password-login HTTP/1.1" 200 4743 On 11/09/2009, at 12:36 PM, Larry Stone wrote: > If you just want to deny all access based on the requestor's IP > address, that is best done in the web server or servlet container. > If you're using "naked" Tomcat, see the doc for > org.apache.catalina.valves.RemoteAddrValve. If you're using Apache > httpd it's very easy to configure, just see the server docs. > > -- Larry > > On Sep 10, 2009, at 9:50 PM, Van Ly wrote: > >> >> Hi, >> >> I may have a situation where one of the items in the list for >> `plugin.sequence.org.dspace.eperson.AuthenticationMethod' isn't >> behaving as expected. >> >> To work around, if I need to put up a firewall to restrict access >> based on ip-address and bypass the authentication mechanism entirely, >> what would be a way? >> >> Thanks in advance. >> >> Van Ly >> vly at usyd dot edu dot au >> >> >> >> >> >> - >> - >> Let Crystal Reports handle the reporting - Free Crystal Reports >> 2008 30-Day >> trial. Simplify your report design, integration and deployment - >> and focus on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> ___ >> DSpace-tech mailing list >> DSpace-tech@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/dspace-tech > -- Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
Re: [Dspace-tech] work around authentication mechanism
If you just want to deny all access based on the requestor's IP address, that is best done in the web server or servlet container. If you're using "naked" Tomcat, see the doc for org.apache.catalina.valves.RemoteAddrValve. If you're using Apache httpd it's very easy to configure, just see the server docs. -- Larry On Sep 10, 2009, at 9:50 PM, Van Ly wrote: Hi, I may have a situation where one of the items in the list for `plugin.sequence.org.dspace.eperson.AuthenticationMethod' isn't behaving as expected. To work around, if I need to put up a firewall to restrict access based on ip-address and bypass the authentication mechanism entirely, what would be a way? Thanks in advance. Van Ly vly at usyd dot edu dot au -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech smime.p7s Description: S/MIME cryptographic signature -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
[Dspace-tech] work around authentication mechanism
Hi, I may have a situation where one of the items in the list for `plugin.sequence.org.dspace.eperson.AuthenticationMethod' isn't behaving as expected. To work around, if I need to put up a firewall to restrict access based on ip-address and bypass the authentication mechanism entirely, what would be a way? Thanks in advance. Van Ly vly at usyd dot edu dot au -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech