-
Notifications
You must be signed in to change notification settings - Fork 8
Tomcat Authentication
The administrative portion of xEAC should be closed off to non-authenticated users. We will want to create an new administrative group and user(s) that can access the /xeac/admin portion of the application. The instructions follow Tomcat authentication.
Edit /var/lib/tomcat7/conf/tomcat-users.xml and follow the commented out example in the file. Within the tomcat-users element, we want to create a new role <role rolename="xeac-admin"/> and at least one new user with a matching role, e.g., <user username="admin" password="" roles="xeac-admin"/>. By default, the passwords are stored in plain text within this file, but Tomcat authentication can be calibrated to use SHA-2 encoded passwords.
After creating the user and role, save and exit the file and restart Tomcat for the changes to take effect: sudo service tomcat7 restart
Now that we have created a new 'xeac-admin' role in Tomcat, we can now restrict access to the administrative backend of the Harvester through Orbeon's web.xml following the standard Tomcat protocol.
Edit /var/lib/tomcat7/webapps/orbeon/WEB-INF/web.xml and scroll to the bottom of the file. We will place authentication instructions above the session-config element. After saving web.xml, restart Tomcat.
<security-constraint>
<web-resource-collection>
<web-resource-name>xEAC</web-resource-name>
<url-pattern>/xeac/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>xeac-admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<session-config>
<session-timeout>720</session-timeout>
</session-config>
In essence, this restricts anything in the /xeac/admin/* namespace to an authenticated user from the xeac-admin Tomcat role. The authentication method is BASIC (in contrast with FORM), so the login is performed through a browser popup window rather than a web page.
Note The backend XForms web form pages do not function via Apache Proxypass, so you will have to access the administrative section through Orbeon directly at port 8080. The public user interface functions behind Proxypass.