[opencms-dev] Basic or forms-based authentication for folders - how?

RReppel at burntsand.com RReppel at burntsand.com
Tue Sep 23 19:06:01 CEST 2003 

Claus,

... I have found one way of doing basic authentication for folders:

1. Edit tomcat-users.xml to contain a copy of the users and roles defined in
OpenCMS. (I'm no Tomcat expert, but it seems likely that Tomcat can be made
to authenticate against the same authentication source which OpenCMS uses,
in which case this step shouldn't be necessary anymore.)

2. Put the appropriate <security-constraint> into
$CATALINA_HOME/webapps/opencms/WEB-INF/web.xml. 

Example:

    <security-constraint>
	    <web-resource-collection>
		<web-resource-name>HealthProfessionals</web-resource-name>
		<description>
		Security constraint forresources in the intra directory
		</description>
		<url-pattern>/*</url-pattern>
		<http-method>POST</http-method>
		<http-method>GET</http-method>
	    </web-resource-collection>
	    <auth-constraint>
		<description>Constraint for Health
Professionals</description>
		<role-name>Administrators</role-name>
		<role-name>manager</role-name>
	    </auth-constraint>
	    <user-data-constraint>
		<description>SSL not required</description>
		<transport-guarantee>NONE</transport-guarantee>
	    </user-data-constraint>
    </security-constraint>
    
    <login-config>
    	<auth-method>BASIC</auth-method>
    </login-config>
    
    <security-role>
    	<description>Health Professionals Role</description>
    	<role-name>Administrators</role-name>
    </security-role>

Haven't tested it fully yet, but this seems to work so far ...

Regards,

Robert

-----Original Message-----
From: Claus Priisholm [mailto:cpr at codedroids.com] 
Sent: Tuesday, September 23, 2003 6:42 AM
To: opencms-dev at opencms.org
Subject: Re: [opencms-dev] Basic or forms-based authentication for folders -
how?


Me too :-)

I have the same idea of using the permissions as a generic access 
control for the site as well. Haven't had any luck so far though. I can
understand why I would get an error upon publishing and thus 
exporting a 'static' resource, since once exported it is really not in 
the hands of OpenCms any longer so it cannot really enforce any logic. 
But 'dynamic' pages could be enforced by OpenCms.
I guess that combining apache (possible tomcat) realms with the user 
database of OpenCms could achieve some of the wanted effect, but there 
would still be a problem with the navigation method as it returns all 
the resources independently of permissions (at least it seemed to be 
what happened when I tried).

So I would appreciate any pointers as well, to whether the access 
control of OpenCms workplace extends (or can be extended) to include 
the non-static-exported parts of a site as well.

On fredag, sep 19, 2003, at 18:57 Europe/Copenhagen, 
RReppel at burntsand.com wrote:

> Hi,
>
> I'm trying to protect a subfolder via Basic Authentication, i.e. there
> is a
> part of my site which is available to the public and another one for 
> which
> login is required. Can this be done with the built-in security 
> mechanisms of
> OpenCMS?
>
> One approach I have tried is to go into the OpenCMS Workplace and
> remove the
> "r" and "v" permissions for "Others" on the folder to be protected. 
> However,
> upon publishing this leads to the following error message:
>
> Exception com.opencms.core.CmsException: 31 Access denied to resource. 
> Detailed error: [com.opencms.file.mySql.CmsResourceBroker]
> /default/vfs/intra/index.html.
>
> .... Where "intra" is the name of the folder I'm trying to protect.
>
>
> Is there another way of doing this?
>
> If so, is forms-based authentication supported?
>
> Thanks for your help.
>
> Regards,
>
> Robert
> _______________________________________________
> This mail is send to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please
> visit
> http://mail.opencms.org/mailman/listinfo/opencms-dev
>
>
--
Claus Priisholm
+45 48 22 46 46, fax: +45 48 22 46 43
cpr at codedroids.com
http://www.codedroids.com

_______________________________________________
This mail is send to you from the opencms-dev mailing list
To change your list options, or to unsubscribe from the list, please visit
http://mail.opencms.org/mailman/listinfo/opencms-dev

More information about the opencms-dev mailing list