Deploy to GitHub pages

auth.html

@@ -0,0 +1,177 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia Site Renderer 1.9.2 from src/site/markdown/auth.md at 2023-12-07
+ | Rendered using Apache Maven Fluido Skin 1.8
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <meta name="generator" content="Apache Maven Doxia Site Renderer 1.9.2" />
+    <title>digilib - The Digital Image Library &#x2013; Access control</title>
+    <link rel="stylesheet" href="./css/apache-maven-fluido-1.8.min.css" />
+    <link rel="stylesheet" href="./css/site.css" />
+    <link rel="stylesheet" href="./css/print.css" media="print" />
+    <script src="./js/apache-maven-fluido-1.8.min.js"></script>
+  </head>
+  <body class="topBarDisabled">
+    <div class="container-fluid">
+      <header>
+        <div id="banner">
+          <div class="pull-left"><a href="https://robcast.github.io/digilib/" id="bannerLeft"><h2>digilib - a versatile image viewing environment for the internet</h2>
+</a></div>
+          <div class="pull-right"><a href="https://robcast.github.io/digilib/" id="bannerRight"><img src="images/digilib-logo-small.png"  alt=""/></a></div>
+          <div class="clear"><hr/></div>
+        </div>
+
+        <div id="breadcrumbs">
+          <ul class="breadcrumb">
+        <li id="publishDate">Last Published: 2023-12-07<span class="divider">|</span>
+</li>
+          <li id="projectVersion">Version: 2.12-SNAPSHOT</li>
+          </ul>
+        </div>
+      </header>
+      <div class="row-fluid">
+        <header id="leftColumn" class="span2">
+          <nav class="well sidebar-nav">
+  <ul class="nav nav-list">
+   <li class="nav-header">Overview</li>
+    <li><a href="index.html" title="About digilib"><span class="none"></span>About digilib</a></li>
+    <li><a href="features.html" title="digilib features"><span class="none"></span>digilib features</a></li>
+    <li><a href="digilib-short.html" title="How digilib works"><span class="none"></span>How digilib works</a></li>
+    <li><a href="history.html" title="Ancient history"><span class="none"></span>Ancient history</a></li>
+   <li class="nav-header">Installation</li>
+    <li><a href="build-maven.html" title="Building digilib"><span class="none"></span>Building digilib</a></li>
+    <li><a href="install-digilib.html" title="Installing digilib"><span class="none"></span>Installing digilib</a></li>
+    <li><a href="server-setup.html" title="Server setup"><span class="none"></span>Server setup</a></li>
+    <li><a href="digilib-docker.html" title="digilib in Docker"><span class="none"></span>digilib in Docker</a></li>
+   <li class="nav-header">Configuration</li>
+    <li><a href="digilib-config.html" title="Configuring digilib"><span class="none"></span>Configuring digilib</a></li>
+    <li><a href="image-directories.html" title="Directory layout"><span class="none"></span>Directory layout</a></li>
+    <li><a href="java-settings.html" title="Java settings and tuning"><span class="none"></span>Java settings and tuning</a></li>
+    <li class="active"><a href="#"><span class="none"></span>Access control</a></li>
+    <li><a href="pdf-generator.html" title="PDF generation"><span class="none"></span>PDF generation</a></li>
+   <li class="nav-header">Development</li>
+    <li><a href="scaler-api.html" title="The digilib Scaler API"><span class="none"></span>The digilib Scaler API</a></li>
+    <li><a href="iiif-api.html" title="The digilib IIIF API"><span class="none"></span>The digilib IIIF API</a></li>
+    <li><a href="client-integration.html" title="Integrating digilib into your page"><span class="none"></span>Integrating digilib into your page</a></li>
+    <li><a href="plugins.html" title="Digilib plugins"><span class="none"></span>Digilib plugins</a></li>
+   <li class="nav-header">Project Documentation</li>
+    <li><a href="project-info.html" title="Project Information"><span class="icon-chevron-right"></span>Project Information</a></li>
+  </ul>
+          </nav>
+          <div class="well sidebar-nav">
+            <hr />
+            <div id="poweredBy">
+              <div class="clear"></div>
+              <div class="clear"></div>
+              <div class="clear"></div>
+<a href="http://maven.apache.org/" title="Built by Maven" class="builtBy"><img class="builtBy"  alt="Built by Maven" src="https://maven.apache.org/images/logos/maven-feather.png"    /></a>
+<a href="../../" title="Hosted by GitHub" class="builtBy"><img class="builtBy"  alt="Hosted by GitHub" src="https://github.githubassets.com/images/modules/logos_page/GitHub-Logo.png"   width="100px"  /></a>
+<a href="http://www.sourceforge.net/" title="Previously hosted by SourceForge" class="builtBy"><img class="builtBy"  alt="Previously hosted by SourceForge" src="https://upload.wikimedia.org/wikipedia/commons/0/0b/Sourceforge_logo.png"   width="100px"  /></a>
+            </div>
+          </div>
+        </header>
+        <main id="bodyColumn"  class="span10" >
+<h1>Access control</h1>
+<p>If all your images are free and available to everybody or if your server is not reachable from the internet then congratulations, you can run digilib without authorization: Leave the <a href="digilib-config.html">digilib-config</a> setting</p>
+
+<div class="source">
+<div class="source"><pre class="prettyprint">use-authorization=false
+</pre></div></div>
+
+<p>and ignore the rest of this chapter.</p>
+<p>But if you have some images that are freely available and others that should be only visible to some users then you need to set</p>
+
+<div class="source">
+<div class="source"><pre class="prettyprint">use-authorization=true
+</pre></div></div>
+
+<p>and configure digilib&#x2019;s authentication and authorization mechanism.</p><section>
+<h2><a name="Authentication_and_authorization"></a>Authentication and authorization</h2>
+<p>digilib has different mechanisms for the tasks of <i>authentication</i> - establishing the identity of the user requesting the image (more accurately the roles associated to this identity) - and <i>authorization</i> - establishing the rules for accessing specific images (the roles required to access the image).</p>
+<p>The authe<b>n</b>tication mechanism is implemented by the digilib.auth.Auth<b>n</b>Ops interface implemented through the class configured in the <code>digilib-config</code> parameter <code>authnops-class</code> while the authori<b>z</b>ation mechanism is implemented by the digilib.auth.Auth<b>z</b>Ops interface implemented through the class configured in <code>authzops-class</code>.</p>
+<p>All authentication and authorization classes are configured through different elements in the XML config file</p>
+
+<div class="source">
+<div class="source"><pre class="prettyprint">digilib-auth.xml
+</pre></div></div>
+
+<p>in the <code>WEB-INF</code> directory (the file name can be configured with the <code>digilib-config</code> parameter <code>auth-file</code>).</p>
+<p>In short: you need to set both <code>authnops-class</code> and <code>authzops-class</code> in <code>digilib-config</code> with two of the classes described below (or implement your own) and create a <code>digilib-auth.xml</code> file with the configuration for the chosen implementations.</p><section>
+<h3><a name="Authentication:_IpAuthnOps"></a>Authentication: IpAuthnOps</h3>
+<p><code>digilib.auth.IpAuthnOps</code> assigns roles based on the IP address of the user requesting the image. This works well for situations where all users of the local network are allowed to access resources. The class reads the tag <code>digilib-adresses</code> from <code>digilib-auth.xml</code>:</p>
+
+<div class="source">
+<div class="source"><pre class="prettyprint">&lt;digilib-addresses&gt;
+  &lt;address ip=&quot;130.92.68&quot; role=&quot;eastwood-coll,ptolemaios-geo&quot; /&gt;
+  &lt;address ip=&quot;130.92.151&quot; role=&quot;wtwg&quot; /&gt;
+  &lt;address ip=&quot;0:0:0:0:0:0:0:1&quot; role=&quot;local&quot; /&gt;
+&lt;/digilib-addresses&gt;
+</pre></div></div>
+
+<p>A computer with an ip address that matches <code>ip</code> is automatically granted all roles under <code>role</code>. The ip address is matched from the left (in full quads). Roles under &#x201c;role&#x201d; must be separated by comma only (no spaces).</p>
+<p>Caution: If you run your Servlet Container (Tomcat) behind Apache or another reverse proxy then Tomcat only sees the IP address of the proxy server for all connections. You need to configure Tomcat to honor the <code>X-Forwarded-For</code> and <code>X-Forwarded-Proto</code> headers.</p></section><section>
+<h3><a name="Authentication:_IpServletAuthnOps"></a>Authentication: IpServletAuthnOps</h3>
+<p><code>digilib.auth.IpServletAuthnOps</code> assigns roles based on the IP address of the user requesting the image (see <code>IpAuthnOps</code> above) and uses the <code>ServletRequest.isUserInRole()</code> function of the Servlet Container if the roles provided by the IP address are not sufficient.</p>
+<p>Using authentication information from the Servlet Container requires that the Servlet Container is configured for authentication. For information about this please refer to the documentation of your Servlet Container.</p>
+<p>For Tomcat 8 there is documentation at (<a class="externalLink" href="https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html">https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html</a>)[https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html] Note that you need to configure a <code>&lt;security-constraint&gt;</code> in <code>web.xml</code> to force the server to ask for a password (there is an old example in <code>web-additional.xml</code>).</p></section><section>
+<h3><a name="Authentication:_OpenIdAuthnOps"></a>Authentication: OpenIdAuthnOps</h3>
+<p><code>digilib.auth.OpenIdAuthnOps</code> assigns roles based on an <a class="externalLink" href="http://openid.net/">OpenId-Connect</a> token passed with the request. The token can be passed either in the URL parameter <code>id_token</code> or as a cookie with the name <code>id_token</code> (the name of the cookie can be configured with the <code>digilib-config</code> parameter <code>authn-token-cookie</code>).</p>
+<p>The class reads the tag <code>digilib-oauth</code> from <code>digilib-auth.xml</code>:</p>
+
+<div class="source">
+<div class="source"><pre class="prettyprint">&lt;digilib-oauth&gt;
+  &lt;openid issuer=&quot;https://id.some.where&quot; clientid=&quot;myclient&quot; roles=&quot;openid-users&quot; keytype=&quot;jwk&quot;&gt;
+    {&quot;kty&quot;:&quot;RSA&quot;,&quot;e&quot;:&quot;AQAB&quot;,&quot;kid&quot;:&quot;rsa1&quot;,&quot;alg&quot;:&quot;RS256&quot;,&quot;n&quot;:&quot;qt6yOiI_wCoCVlGO0MySsez...Lf9by7TGw&quot;}   
+  &lt;/openid&gt;
+&lt;/digilib-oauth&gt;
+</pre></div></div>
+
+<p>The <code>openid</code> tag defines roles (in <code>role</code>, separated by comma only, no spaces) that will be granted to the user that provides a valid token from the given server. The server is identified by the url in <code>issuer</code>, the client id in <code>clientid</code> and the public key of the server in JWK format as content of the tag. There can be multiple <code>openid</code> tags.</p>
+<p>To set up a connection with an OpenId-Connect identity server you usually have to enter the URL of your digilib instance as a redirect URL and the client id that you chose and make sure that the server answers requests with <code>response_type=id_token</code>. The public key of the server in JWK format can often be requested from the server by adding <code>/jwk</code> to the URL.</p>
+<p>To automatically authenticate with OpenId in the digilib Javascript frontend you can use the digilib plugin <code>jquery.digilib.oauth.js</code> and configure it with the URL of the ID server as <code>authServerUrl</code> and the client id as <code>authClientId</code>. This will give you an extra login button that authenticates the user by redirecting her to the ID server. You can additionally set <code>authOnErrorMode</code> to true to automatically authenticate the user whenever the image from the digilib server doesn&#x2019;t load which is usually caused by missing authentication (there is an example in <code>jquery/digilib-auth.html</code>).</p></section><section>
+<h3><a name="Authentication:_IpOpenIdAuthnOps"></a>Authentication: IpOpenIdAuthnOps</h3>
+<p><code>digilib.auth.IpOpenIdAuthnOps</code> assigns roles based on the IP address of the user requesting the image (see <code>IpAuthnOps</code> above) and uses an OpenId-Connect token passed with the request (see <code>OpenIdAuthnOps</code> above) if the roles provided by the IP address are not sufficient.</p></section><section>
+<h3><a name="Authorization:_PathAuthzOps"></a>Authorization: PathAuthzOps</h3>
+<p><code>digilib.auth.PathAuthzOps</code> requests roles based on the directory path of the requested image. All images in the given directory and all its subdirectories can be accessed only if the user can provide one of the requested roles.</p>
+<p>The class reads the tag <code>digilib-paths</code> from <code>digilib-auth.xml</code>:</p>
+
+<div class="source">
+<div class="source"><pre class="prettyprint">&lt;digilib-paths&gt;
+  &lt;path name=&quot;histast/eastwood-collection&quot; role=&quot;eastwood-coll&quot;/&gt;
+  &lt;path name=&quot;documents/nonpublic&quot; role=&quot;openid-user,eastwood-coll&quot;/&gt;
+&lt;/digilib-paths&gt;
+</pre></div></div>
+
+<p>A user must supply one of the roles in <code>role</code> to access the directory in <code>name</code>. Roles in <code>role</code> must be separated by comma only (no spaces).</p></section><section>
+<h3><a name="Authorization:_MetaAccessAuthzOps"></a>Authorization: MetaAccessAuthzOps</h3>
+<p><code>digilib.auth.MetaAccessAuthzOps</code> requests roles using &#x201c;access&#x201d; information in the file metadata.</p>
+<p>This requires a <code>FileMeta</code> implementation (configured in the <code>filemeta-class</code> parameter of <code>digilib-config</code>) that provides an <code>access</code> key in the metadata returned by <code>DocuDirent.getMeta().getFileMeta()</code> like <code>digilib.meta.IndexMetaFileMeta</code>.</p>
+<p>The class reads the tag <code>digilib-access</code> from <code>digilib-auth.xml</code>:</p>
+
+<div class="source">
+<div class="source"><pre class="prettyprint">&lt;digilib-access&gt;
+  &lt;access type=&quot;group:mpiwg&quot; role=&quot;mpiwg-user&quot;/&gt;
+  &lt;access type=&quot;default&quot; role=&quot;&quot;/&gt;
+&lt;/digilib-access&gt;
+</pre></div></div>
+
+<p>A user must supply one of the roles in <code>role</code> to access any object with a metadata access value matching <code>type</code>. Roles in <code>role</code> must be separated by comma only (no spaces).</p>
+<p>The access type <code>default</code> is special, it applies to all objects without metadata access information.</p>
+<p><code>digilib.meta.IndexMetaFileMeta</code> reads XML files conforming to the <a class="externalLink" href="http://intern.mpiwg-berlin.mpg.de/digitalhumanities/mpiwg-metadata-documentation/formate/indexmeta-standard">&#x201c;index.meta&#x201d; specification</a> and extracts image information from the <code>meta/img</code> tag and access information from the <code>meta/access-conditions</code> tag (see also class <code>digilib.meta.IndexMetaAuthLoader</code>).</p></section></section>
+        </main>
+      </div>
+    </div>
+    <hr/>
+    <footer>
+      <div class="container-fluid">
+        <div class="row-fluid">
+            <p>Copyright &#169;      2001&#x2013;2023<a href="https://robcast.github.io/digilib/">digilib Community</a>.
+.</p>
+        </div>
+      </div>
+    </footer>
+  </body>
+</html>