[opencms-dev] Restrict Access To OpenCMS

[Stephan Hartmann]

Hi Brett,

for your preferred solution you posted too few information i think. E.g. 
How did you setup OpenCms with Tomcat? Standalone or with another Apache 
in front with stripping off /opencms/opencms/? How does your other vhost 
configuration look like?

For option two, it would be possible to add Basic-Authentication headers 
with the login credentials of your OpenCms proxy user to the requests. 
This could be done with a ServletFilter as well as directly in your 
vhost configuration in Apache. OpenCms will login a user automatically 
if the request provides Basic-Authentication headers (this was at least 
true for OpenCms 6.2.3). I tested it in a setup where a WebSEAL in front 
of OpenCms performed authentication and authorization concerns.

Best regards,
Stephan


Brett Sheeran schrieb:
> Hi,
>
> I want to allow HTTP requests to OpenCMS only under the following two
> conditions:
> 1. From a specific IP Address (a proxy) where requests *never* require
> a login, and
> 2. From any other IP address, but *only* after logging in with
> username and password.
>
> I have explored two options (Apache or OpenCMS authentication.
> However, I am struggling to implement either. Can anyone suggest
> solution to my problems please? Details as follows.
>
> I am running OpenCMS 7.5 on Tomcat. The two options I considered are
> described below.
>
> 1. APACHE AUTHENTICATION (Perferred option)
> This method involved setting up Tomcat to only allow requests from two
> IP Addresses. One of these would be the existing (no login) proxy that
> does not require authentication. The other would be a new Apache proxy
> with authentication configured in httpd.conf like this:
>
> <VirtualHost *:443>
>   ServerName localhost
>
>   <Proxy *>
>     AddDefaultCharset Off
>     Order deny,allow
>     Allow from all
>     AuthName Internet
>     AuthType Basic
>     AuthUserFile "C:\Program Files\Apache Software
> Foundation\Apache2.2\conf\passwords"
>     require valid-user
>   </Proxy>
>
>   ProxyPass	/ http://123.456.89.90:80/
>   ProxyPassReverse	/ http://123.456.89.90:80/
>
> </VirtualHost>
>
> Unfortunately, the Apache authentication somehow interferes with
> OpenCMS authentication. I am finding that requests from guest users
> return HTML, but *not* associated CSS and images. Whereas, if the user
> *is* logged in, OpenCMS will serve images and CSS. Furthermore, if I
> remove authorization parameters from httpd.conf (Auth* and request)
> then OpenCMS *will* serve images and CSS. Apache authentication is my
> preferred option, mainly because it allows me to use https with login
> access.
>
>
> 2. OPENCMS AUTHENTICATION
> I would set OpenCMS security so that guest users did not have rights
> to any pages. I would then create an account called "proxy" that had
> rights to view all pages. Then I would create a servlet filter that
> would examine the IP address and automatically login as the "proxy"
> user *if* the IP Address matched the proxy server. If not, then a
> login page is displayed. My problem here is (maybe I'm an idiot) but I
> cannot find "login" and "isLoggedIn" methods suitable for use in a
> servlet filter. I have used CmsJspLoginBean within my login.jsp page
> however, CmsJspLoginBean requires a PageContext parameter isn't
> availible in a Servlet Filter.
>
> Any suggestions?
>
> Thank you.
>
> Regards Brett S
>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev
>
>