Allowing Apache Authentication

Squiz Matrix Support
1

Hi all,


Just have a quick question in regards to allowing apache authentication rather than using default logins…



If I select to use it, I expect that MySource would check for a valid PHP_AUTH_USER & PHP_AUTH_PW in the http headers and then still check against the internal user list before allowing the user access to the system?



If yes, second part of the question would be is this setting a global setting for the whole site, including password protected areas, or can it be limited to particular areas of the site.



The reason I am asking is we are currently using some Novell Identity management products with a reverse proxy that authenticates external users to allow access to internal applications.



Trying to get my head around for evaluation purposes whether this product will support access to what we deem secure content which is visible bu external customers, using a single username and login for all extranet applications……



Anyone have any thoughts???

2
  1. From Matrix v3.6, we check for either PHP_AUTH_USER or REMOTE_USER from Apache's headers. These are then compared to valid user IDs configured within Matrix or accessible via the LDAP bridge. If a match is found, Matrix logs the user in using the found user account details.

  2. Permissions work exactly the same as if the user manually logs on. All the integrated mechanism does is allow Matrix to automatically authenticate a user. Once they're authenticated, they are still restricted by the permissions set on each asset.



    However, you don't need to use integrated login. Matrix's own LDAP Bridge will connect to Novell Directories (e.g. eDirectory). You could provide a login dialog box within the Matrix system that will use the same username/password as your other extranet applications.
3

Excellent that sounds like the answer I wanted to hear :smiley:


Now the only thing I need to work out is the use of absolute URL’s by MySource, and how we can work around that…



Basically the novell products, run on a single URL…



https://xxx.xxx.sa.gov.au/appIdentity/requested_URI



So as the above URL shows the system is configured to read the ‘appIdentity’ which it then works out which server to send the request to and the port, and also works out what security access is required.



Then it sends the HTTP Headers with the username and password and the Requested URI without the appIdentity to the server to server out the page and then returns the results through to the user in an encrypted SSL session.



What would be the best way to set up a site in MySource to still allow the requests to be made?

4

Interesting. Does the reverse authenticating proxy rewrite URLs to add the appIntentity to links within a page? This is trickiest issue: Matrix writes URLs on the fly, based on the current URL of the page. If Matrix doesn't see the appIndentity bit, it won't add it to any of the URLs it generates.


I'm pretty sure we could get this to work, but it may require an Implementation Specialist to come out to your environment to track requests to Apache and see how Matrix resolves the URLs and such. I'm not sure we'll come up with a solution here in the forum without seeing how it works in practice.

5

Yes the reverse proxy when the content is served back out adds the appIdentity to the URL, hence why the adminsitrator of that system prefers everything to be relative, not obsolute…


The only way that I could think of is that, we include the extranet URL for the site:



https://xxx.xxx.sa.gov.au/ so when matrix rewrites the URL’s it produces



https://xxx.xxx.sa.gov.au/



and we maybe try and configure a rewrite rule on the authentication/gateway layer to append after https://xxx.xxx.sa.gov.au/ but before /path/to/URI the appIdentity



Something we need to think about I guess as the best way of handling it.

6

Yeah, that would be my recommendation. :slight_smile: Also remember that Apache may need to be configured to accept requests for xxx.xxx.sa.gov.au for the VirtualHost in which Matrix is configured and your reverse proxy may need to be configured to pass the original HOST_HEADER information across, so that Matrix writes the correct URLs back.


Or, if you can get your reverse proxy to rewrite the hostname as well as the URL, you could do that instead.



(Meanwhile, all these xxx's makes me think the SA Government is planning some Porn Initiative. :slight_smile: )

7

:blink:


Wouldn't that be some great revenue earner if the SA Govt did implement that? But I highly doubt it… :smiley:

8

[quote]Wouldn’t that be some great revenue earner if the SA Govt did implement that?  But I highly doubt it…  :smiley:
[right][post=“7864”]<{POST_SNAPBACK}>[/post][/right][/quote]



Having lived in Adelaide for two years when I first got to Australia, I doubt it too. :lol: