[opencms-dev] Restrict Access To OpenCMS

Brett Sheeran brett.sheeran at gmail.com
Tue Aug 25 09:31:25 CEST 2009 

Hi,

I want to allow HTTP requests to OpenCMS only under the following two
conditions:
1. From a specific IP Address (a proxy) where requests *never* require
a login, and
2. From any other IP address, but *only* after logging in with
username and password.

I have explored two options (Apache or OpenCMS authentication.
However, I am struggling to implement either. Can anyone suggest
solution to my problems please? Details as follows.

I am running OpenCMS 7.5 on Tomcat. The two options I considered are
described below.

1. APACHE AUTHENTICATION (Perferred option)
This method involved setting up Tomcat to only allow requests from two
IP Addresses. One of these would be the existing (no login) proxy that
does not require authentication. The other would be a new Apache proxy
with authentication configured in httpd.conf like this:

<VirtualHost *:443>
  ServerName localhost

  <Proxy *>
    AddDefaultCharset Off
    Order deny,allow
    Allow from all
    AuthName Internet
    AuthType Basic
    AuthUserFile "C:\Program Files\Apache Software
Foundation\Apache2.2\conf\passwords"
    require valid-user
  </Proxy>

  ProxyPass	/ http://123.456.89.90:80/
  ProxyPassReverse	/ http://123.456.89.90:80/

</VirtualHost>

Unfortunately, the Apache authentication somehow interferes with
OpenCMS authentication. I am finding that requests from guest users
return HTML, but *not* associated CSS and images. Whereas, if the user
*is* logged in, OpenCMS will serve images and CSS. Furthermore, if I
remove authorization parameters from httpd.conf (Auth* and request)
then OpenCMS *will* serve images and CSS. Apache authentication is my
preferred option, mainly because it allows me to use https with login
access.


2. OPENCMS AUTHENTICATION
I would set OpenCMS security so that guest users did not have rights
to any pages. I would then create an account called "proxy" that had
rights to view all pages. Then I would create a servlet filter that
would examine the IP address and automatically login as the "proxy"
user *if* the IP Address matched the proxy server. If not, then a
login page is displayed. My problem here is (maybe I'm an idiot) but I
cannot find "login" and "isLoggedIn" methods suitable for use in a
servlet filter. I have used CmsJspLoginBean within my login.jsp page
however, CmsJspLoginBean requires a PageContext parameter isn't
availible in a Servlet Filter.

Any suggestions?

Thank you.

Regards Brett S

More information about the opencms-dev mailing list