Protected directory for internal documents?
Is there a directory available on the system where we can put documents (word, pdfs, etc.) and have them only available to a user that is logged into luminis? If not, how can I set one up? We need to figure out someplace to put them. We've tried groups but users who aren't familiar with groups have a hard time accessing the documents. Currently we have the documents on a public server and are linking to them from luminis, however some documents shouldn't be available to the public. Any ideas on how to do this? I know how to use CAS to protect html pages, but can the same be done to protect a directory?
Did you check
Did you check this posting? I would start there.
http://www.lumdev.net/node/917
We perform what you are requesting via a custom JSP script that checks authentication via the iPerson object, and grabs role membership information as well to limit access even further.
protected directory
Not exactly, that would work with html pages, but I want to be able to protect anything inside a directory. That way we could put word and pdf documents in the directory, and allow anyone in the portal access to them, but deny them access if they are not logged it.
It works for us for all types
It works for us for all types of documents, albeit via custom scripting. Basically, the script reads in the file and sends it back to the browser (assuming the user has the permissions to view it and it's confirmed to be a "safe" file to read).
tomcat directory sec.
The hacky way would be to use an existing directory that has protection as the parent. Like cp_root/jsp.
If you had some directory like /mnt/san/myfilestorage you could "ln -s /mnt/san/myfilestorage cp_root/jsp/myfilestorage" and then https://yourwebserver/jsp/myfilestorage would be protected by the permissions that the jsp directory already has.
To change permissions on a new directory would be more involved. I think you'd need to use tomcat's security manager. http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html
I've never toyed with it, so I wouldn't be able to offer advice.
tomcat directory sec.
Adding a directory does do the job, however I would rather have a seperate directory rather then adding it to the jsp one.
Looking at live headers it looks like the server tests to see if the cookie is set, if it is then it opens the file, if it isn't it fowards the user to /jsp/misc/timedout.jsp.
Never used the security manager either, so I don't know how hard it is to set it up to do this.
tomcat directory sec.
You might try taking advantage of the security that Luminis uses. I think it is defined in
cp_root/webapps/luminis/WEB-INF/config/websecure.xml
I can see sections like:
<NODE name="myqa">
<LABEL name="secure"> opt </LABEL>
<LABEL name="sessionRequired"> no </LABEL>
<NODE name="myqa_edit.jsp">
<LABEL name="secure"> true </LABEL>
<LABEL name="sessionRequired"> yes </LABEL>
</NODE>
tomcat directory sec.
Here's what I tried but couldn't get it to work, I'm still able to open the file without being authenticated. I put the directory above the jsp lines so it would be contained in the same node as the jsp node.
<NODE name="Docs">
<LABEL name="auth-method"> FORM </LABEL>
<LABEL name="secure"> true </LABEL>
<LABEL name="sessionRequired"> yes </LABEL>
<NODE name="sample_file.docx">
</NODE>
</NODE>
tomcat directory sec.
I wonder if you are going to define things at the file level, if you then have to label the files. I'd try two things:
1. Don't put a file in, instead just define the node and see if it protects everything like:
<NODE name="Docs">
<LABEL name="secure"> true </LABEL>
<LABEL name="sessionRequired"> yes </LABEL>
</NODE
or try
2. Additionally label the file:
<NODE name="Docs">
<LABEL name="auth-method"> FORM </LABEL>
<LABEL name="secure"> true </LABEL>
<LABEL name="sessionRequired"> yes </LABEL>
<NODE name="sample_file.docx">
<LABEL name="secure"> true </LABEL>
<LABEL name="sessionRequired"> yes </LABEL>
</NODE>
</NODE
tomcat directory sec.
Still didn't work. I just wonder if there is more to the security then that file.
tomcat directory sec.
I looked around and didn't find anything else. catalina.policy in the tomcat dir doesn't have listed directory permissions, and server.policy in the cp_webinf/conf directory has java permissions set for cp_root, but no sub-directories.
The permissions might be built into the application, hidden in class files or something. Maybe someone else knows, good luck.
secure directory - defect
It looks like we were on the right track with the websecure.xml, however its a noted defect.
Proxy
We've solved a similar problem a while back by using a proxy server.
Way back when, our Intranet was protect by Apache to inside-the-college IP numbers. Our solution to providing the Intranet in the portal was to put it through a proxy server (that had an inside IP). The proxy server checks for a cookie created at portal login time, and now outside is inside.
I'm not giving the all the details here, but it's an approach to take. In order to make it work you would need a usable cookie from the login (we create our own at login time) and a proxy server that checks for cookies (we modified an open source one).
Bob.
Tomcat Filter
I'm about to deploy a variation on this:
www.lumdev.net/node/2554
Essentially you create a Tomcat filter that will force authentication for any static files served from one or more directories that you specify in WEB-INF/web.xml. I modified the code a bit to redirect users to the portal's login page, and then back to the requested file after they successfully authenticate.