Integrate with external authentication services

Owned by SK
Last updated: May 28, 2015

Institutions typically use different ways (Shibboleth, LDAP, etc.) to authenticate users. It is difficult to achieve a one-size-fits-all deployment to address all the different authentication in OLE. This bottleneck can be cleared by using a reverse proxy.

Reverse Proxy

A reverse proxy server is a specialized web server that inspects incoming requests and forwards them to another internal web server after any local processing is completed. It also inspects and makes sure that any response from the internal web server containing URLs are updated with the proper host address.

In our case, the reverse proxy server hosts an Apache HTTP server with modules to implement a proxy (mod_proxy) which would also host the authentication logic. Following successful authentication, the user is passed in the RequestHeader and the request is forwarded to the Tomcat server hosting OLE. Unsuccessful authentication is handled appropriately.

To get this working successfully a few configurations are needed. The significant ones are listed below for reference.

Configurations on the Apache Tomcat side

Authentication Filter Class

A custom authentication filter is not needed. The behavior of the default HttpServletRequest class is inline with expectations, as it picks up the REMOTE_USER passed in the RequestHeader.

Changes in web.xml

The web.xml file is found at <Application-root>/WEB-INF/

The file contains references to a filter, DummyLoginFilter, which needs to be removed. The filter class configured is DevelopmentLoginFilter which helps in forwarding the user to the login page without any need for password for authentication.

The following lines are to be removed from web.xml

Lines to remove in web.xml
<filter>
	<filter-name>DummyLoginFilter</filter-name>
    <filter-class>org.kuali.ole.sys.web.filter.DevelopmentLoginFilter</filter-class>
    <init-param>
    	<param-name>loginUser</param-name>
        <param-value>ole-quickstart</param-value>
    </init-param>
</filter>
<filter-mapping>
	<filter-name>DummyLoginFilter</filter-name>
    <servlet-name>action</servlet-name>
</filter-mapping>
<filter-mapping>
	<filter-name>DummyLoginFilter</filter-name>
	<servlet-name>dwr-invoker</servlet-name>
</filter-mapping>
<filter-mapping>
	<filter-name>DummyLoginFilter</filter-name>
	<servlet-name>batchFileUpload</servlet-name>
</filter-mapping>

Changes in server.xml

The server.xml file is found at <CATALINA_HOME>/conf/

If SSL is used, there could be problems while accessing certain search pages. This is because the URL is formed by using request.getRequestURL(), which ultimately comes from "scheme" part of the connector configuration in server.xml. So the scheme attribute should be set to 'https' and the port attribute to '443' for OLE to generate the proper URLs.

Connector configuration
<Connector port="8443" protocol="HTTP/1.1"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               scheme="https"
               proxyPort="443"/>

It is also imperative to check that all URL related information in common-config.xml and other files use relative URLs.

Backdoor Login

To remove the Backdoor Login () from the screen, the value in System Parameter, SHOW_BACK_DOOR_LOGIN_IND, can be set to 'N'.

Logout

The Logout button () invalidates the OLE session. However, the redirect URL needs to be configured. Currently it defaults to the Application URL.

The configuration can be specified as a parameter in the olefs-config-defaults.xml file as below

in olefs-config-defaults.xml
<param name="rice.portal.logout.redirectUrl">[Specify URL here]</param>

Alternatively, a System Parameter can be created with Namespace code KR-NS and Parameter Name, LOGOFF_REDIRECT_URL and the URL specified in Parameter Value and OLE would pick the URL as the redirect link. The value in the System Parameter overrides the configuration in olefs-config-defaults.xml.

It should be noted that though the Logout button invalidates the OLE session, the session established by the application residing on the Proxy Server may continue and may need to be handled externally.

Configurations on the Apache HTTP side

The configurations are done in the httpd.conf file.

Pass the REMOTE_USER in Header

The Apache 'headers' module needs to be enabled for this to work.

In the Location directive for the authenticated olefs app, right after the ProxyPass lines, the RequestHeader is set.

Sample Location directive with LDAP
RequestHeader set Remote-User %{REMOTE_USER}s

 Force HTTPS

The Apache 'rewrite' module needs to be enabled for this to work.

Under the Virtual Host Config, the rewrite conditions are to be mentioned.

rewrite
RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} (.*)olefs(/portal\.do)?$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Sample Configuration Files

Source: 

Error rendering macro 'jira' : Unable to locate Jira server for this macro. It may be due to Application Link configuration.

VirtualHost Config for Tomcat on 8080 
<VirtualHost *:80>
        ServerAdmin ccc2@lehigh.edu
        ServerName oletest.lib.lehigh.edu

        ProxyPreserveHost On
        RewriteEngine On

        DocumentRoot "/var/www/olehome"
        <Directory "/var/www/olehome">
                  Options Indexes FollowSymLinks Includes ExecCGI

                  #
                  # AllowOverride controls what directives may be placed in .htaccess files.
                  # It can be "All", "None", or any combination of the keywords:
                  #   AllowOverride FileInfo AuthConfig Limit
                  #
                  AllowOverride All
        </Directory>

        # For staff
        <Location /olefs>
                Redirect permanent / https://oletest.lib.lehigh.edu/
        </Location>

        # Allow from Library and Computing Center subnets.
        # Should be a shorter list, since anyone
        # who can go here can also go to oledocstore/bib/dataimport
        # We'll narrow this down later
        <Location /oledocstore>
                  Order Allow,Deny
                  Allow from 128.180.0 128.180.1 128.180.2 128.180.3 128.180.12 128.180.13 128.180.82 128.180.83
                  ProxyPass http://oletest.lib.lehigh.edu:8080/oledocstore
                  ProxyPassReverse /oledocstore
        </Location>

        # Allow from Linderman subnet
	# Also should be narrowed down more
        <Location /dataimport>
                  Order Allow,Deny
                  Allow from 128.180.82 128.180.83
                  ProxyPass http://oletest.lib.lehigh.edu:8080/oledocstore/bib/dataimport
                  ProxyPassReverse /dataimport
        </Location>

        # Accessible to outside
	# /ncip -> oleapp:8080/olefs/OLENCIPResponder
        # special Relais IP range and a few testing machines on campus
	<Location /ncip>
                  Order Allow,Deny
	          Allow from 66.201.221.194/29
                  Allow from 128.180.82.95
                  Allow from 128.180.82.4
                  ProxyPass http://oletest.lib.lehigh.edu:8080/olefs/OLENCIPResponder
                  ProxyPassReverse /ncip
        </Location>

	#/sru -> oleapp:8080/oledocstore/sru
        # open to world
        <Location /sru>
                  Order Allow,Deny
                  Allow from all
                  ProxyPass http://oletest.lib.lehigh.edu:8080/oledocstore/sru
                  ProxyPassReverse /sru
        </Location>

        #/documentrest/* -> oleapp:8080/oledocstore/documentrest/*
        # Probably only necessary from VuFind servers, but just limited to
        # library subnets for now
        <Location /documentrest>
                  Order Allow,Deny
                  Allow from 128.180.0 128.180.1 128.180.2 128.180.3 128.180.82 128.180.83 128.180.12 128.180.13
                  ProxyPass http://oletest.lib.lehigh.edu:8080/oledocstore/documentrest
                  ProxyPassReverse /documentrest
        </Location>
VirtualHost Config for Tomcat on 8443 
<VirtualHost _default_:443>
        ServerAdmin ccc2@lehigh.edu
	ServerName oletest.lib.lehigh.edu

        ProxyPreserveHost On
	ProxyRequests Off
        RewriteEngine On

        #Works to force SSL before auth, but then OLE redirects to
	#regular http, which asks for auth again ...
        #If I change OLE to have https in common-config.xml, then
	#search boxes don't work
        #RewriteCond %{HTTPS} off
        #RewriteCond %{REQUEST_URI} (.*)olefs(/portal\.do)?$
        #RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

        DocumentRoot "/var/www/olehome"
        <Directory "/var/www/olehome">
                  Options Indexes FollowSymLinks Includes ExecCGI

                  #
                  # AllowOverride controls what directives may be placed in .htaccess files.
                  # It can be "All", "None", or any combination of the keywords:
                  #   AllowOverride FileInfo AuthConfig Limit
                  #
                 #
                  AllowOverride All
	</Directory>

	# For staff
        <Location /olefs>
                  Order Allow,Deny
                  Allow from all

                  #mod_auth_form comes with Apache 2.4, which isn't in Wheezy ...
                  #AuthType form
                  #AuthName "ole"
                  #gives you the ability to log in with ldap OR userid and passwords in the AuthUserFile
                  #AuthFormProvider ldap file
                  #AuthLDAPBindAuthoritative off
                  #LDAPReferrals -- off below because of this error
                  #https://www.apachelounge.com/viewtopic.php?t=4851&view=next
                  #  LDAPReferrals Off
                  #AuthLDAPURL ldap://nis3.cc.lehigh.edu/dc=lehigh,dc=edu?uid
                  #AuthUserFile        /var/www/olehome/.htpasswd
                  #AuthFormLoginRequiredLocation http://oletest.lib.lehigh.edu/olehome/ldap.html
                  #AuthFormLoginSuccessLocation http://oletest.lib.lehigh.edu:8080/olefs
                  #require valid-user

                  # So we'll stick with Basic auth for now
                  AuthType Basic
                  AuthName "Lehigh OLE"
                  AuthzLDAPAuthoritative  off
                  AuthLDAPURL             "ldap://nis.cc.lehigh.edu/dc=lehigh,dc=edu?uid"
                  AuthBasicProvider       ldap file
                  AuthUserFile        /var/www/olehome/.htpasswd
                  require valid-user

                  ProxyPass http://oletest.lib.lehigh.edu:8443/olefs
                  ProxyPassReverse http://oletest.lib.lehigh.edu:8443/olefs

                  RequestHeader set Remote-User %{REMOTE_USER}s

        </Location>

        # Allow from Library and Computing Center subnets.
        # Should be a shorter list, since anyone
        # who can go here can also go to oledocstore/bib/dataimport
        # We'll narrow this down later
        <Location /oledocstore>
                  Order Allow,Deny
                  Allow from 128.180.0 128.180.1 128.180.2 128.180.3 128.180.12 128.180.13 128.180.82 128.180.83
                  ProxyPass http://oletest.lib.lehigh.edu:8443/oledocstore
                  ProxyPassReverse /oledocstore
        </Location>

        # Allow from Linderman subnet
        # Also should be narrowed down more
        <Location /dataimport>
                  Order Allow,Deny
                  Allow from 128.180.82 128.180.83
                  ProxyPass http://oletest.lib.lehigh.edu:8443/oledocstore/bib/dataimport
                  ProxyPassReverse /dataimport
        </Location>

       # Accessible to outside
        # /ncip -> oleapp:8443/olefs/OLENCIPResponder
        # special Relais IP range and a few testing machines on campus
        <Location /ncip>
                  Order Allow,Deny
                  Allow from 66.201.221.194/29
                  Allow from 128.180.82.95
                  Allow from 128.180.82.4
                  ProxyPass http://oletest.lib.lehigh.edu:8443/olefs/OLENCIPResponder
	          ProxyPassReverse /ncip
        </Location>

        #/sru -> oleapp:8443/oledocstore/sru
	# open to world
	<Location /sru>
                  Order Allow,Deny
                  Allow from all
                  ProxyPass http://oletest.lib.lehigh.edu:8443/oledocstore/sru
                  ProxyPassReverse /sru
        </Location>

        #/documentrest/* -> oleapp:8443/oledocstore/documentrest/*
        # Probably only necessary from VuFind servers, but just limited to
	# library subnets for now
        <Location /documentrest>
                  Order Allow,Deny
                  Allow from 128.180.0 128.180.1 128.180.2 128.180.3 128.180.82 128.180.83 128.180.12 128.180.13
                  ProxyPass http://oletest.lib.lehigh.edu:8443/oledocstore/documentrest
                  ProxyPassReverse /documentrest
        </Location>

       ... SSL configuration continues from here

Version related issues

Apache versions prior to Apache 2.4.4 (especially Apache 2.2.x shipped with Red Hat Enterprise Linux 6.x) cannot forward PATCH requests via the AJP protocol, which can interfere with some of OLE's APIs.

If you are experiencing HTTP 501 ("Method Not Implemented") errors, this may be the cause.  Check your Apache version and error logs for messages such as "ajp_marshal_into_msgb - No such method PATCH".

Possible Fixes

  1. Use mod_proxy_http instead of mod_proxy_ajp in your proxy setup.
  2. Use at least Apache 2.4.4 with mod_proxy_ajp.
  3. (Unverified) Use mod_jk instead of mod_proxy_ajp.

Operated as a Community Resource by the Open Library Foundation