[ You are here: XTF -> Deployment Guide -> User Authentication ]

User Authentication (optional)

Table of Contents

User Authentication (optional)
IP List Authentication
LDAP Authentication
External Authentication
The dynaXML servlet can be configured to take advantage of user authentication to limit access to retrieved documents. The types of authentication available are IP List, LDAP, and External. An brief overview of each of these methods is provided in the following sections.

IP List Authentication

With this kind of authentication, the user's IP address is compared to a list of known IP addresses, and access permitted only if the user's IP address appears in the list. Installation of this kind of authentication simply consists of creating a text file whose contents are as follows:
; Authorize a single address.
168.192.12.8
 
; Authorize an address range.
123.89.122.5 - 123.89.122.73
 
; Authorize an address range using wildcards.
63.79.*.*
 
; Exclude an address from the previously authorized range.
exclude 63.79.123.42
 
; Exclude an address sub-range from the previously authorized range.
exclude 63.79.124.*
In the this example, the first line authorizes a single IP address to access the document library through the dynaXML servlet. The second and third lines both authorize a range of IP addresses to access the document library, with the second example making use of the * wildcard character. The final two lines illustrate how to exclude a single address or an address range from a previously selected IP range (in this case, from the range specified by the 63.79.*.* line.) In all cases, lines that don't begin with an address or the word exclude are treated as comments, and blank lines are ignored.

Once an "Authorized IP List" file has been created, the XSLT based dynaXML Document Request Parser instructs the dynaXML servlet to authenticate users via IP List Authentication by inserting <auth> tags in its document retrieval requests. For more about modifying the Document Request Parser to generate IP List <auth> tags, see the XTF Programming Guide.

(Note: IP-address authentication is a relatively insecure method, as IP addresses can be spoofed. Yet it's often sufficient, and is certainly simple to implement.)


LDAP Authentication

The dynaXML servlet can also consult an LDAP database to authenticate users. Using this method to authenticate users requires that a working LDAP database exists on your server, and a description of how create, configure and install one is well beyond the scope of this document. For further assistance, please refer to your LDAP server documentation, or ask your system administrator.

As with IP List Authentication above, the dynaXML Document Request Parser instructs the dynaXML servlet to authenticate users with LDAP by inserting <auth> tags in its document retrieval requests. For more about modifying the Document Request Parser to generate LDAP <auth> tags, see the XTF Programming Guide.

(Note: dynaXML will use the HTTP "basic" protocol to obtain a user name and password. This method is insecure in that the password is transmitted "in the clear" and thus can easily be snooped. If security is of paramount concern, use the External Authentication mechanism described in the next section.)

External Authentication

The "external" authentication mechanism uses an external web page to check the user's permission, and uses a special protocol to ensure security during the transaction. External authentication provides great flexibility, allowing form-based login, .htpasswd apache-style checking, Shibboleth, and any other method that uses a web page.

To use External Authentication you must have an HTTP server capable of receiving a URL request for user verification. The URL sent to the server will have the form:
where
returnpage is the dynaXML output page to return to once authentication is accepted.
somestring is a nonsense string that dynaXML generates as a unique ID specifically for this login attempt.

The web-page specified by your-authentication-page is responsible for identifying and authenticating the user via a login script or some other method. Once your web-page has authenticated the user, it should redirect the user's web browser to the URL specified by the returnto parameter. The redirect URL should have the form:

where
returnpage is the returnpage received in the original external authentication URL, and
hashvalue is a hex-encoded MD5 hash of the string somestring:key, with key being a secret key string known by both the external login page and the dynaXML servlet.

Use of the somestring string (also known as a "nonce" value) makes each attempt unique and defends against replay attacks. Hashing the nonsense string with the secret key ensures that the secret key cannot be practically guessed by an outsider.

Like the previous two authentication methods, the dynaXML Document Request Parser instructs the dynaXML servlet to authenticate users via External Authentication by inserting <auth> tags in its document retrieval requests. For more about modifying the Document Request Parser to generate External <auth> tags, see the XTF Programming Guide.