Change of Authentication in Metamod 2.X

Type Access Authentication Password-store
Administration of Metamod http://server/adm BasicAuth-apache .htaccess-file
Administration of Tomcat http://server:XXXX/manager BasicAuth-tomcat tomcat-users-file
Access to upload-environment http://server/upl metamod metamod-file
Access to upload-environment ftp://server passwd PAM-configured
Administration of Metamod-server ssh:server passwd PAM-configured

The current implementation has some drawback, which are addressed by the following wishlist:

  1. one password store should be enough
  2. authentication methods security-level should be industry standard compliant
  3. single sign on

Using a directory server for authentication. The directory server needs to support user, passwords and groups. This can be i.e. any LDAP server.

  • BasicAuth is industry standard, with moderate to low security (depending on https).
  • ftp is industry standard, with low security.
  • ssh is industry standard, with moderate security.
  • metamod security is not tested. Metamod-application authentication will require lots of testing to become comparable to industry-standard. Simplest to switch to BasicAuth-apache.

No solution! Evaluated:

  • Using Kerberos, requires kerberos-support from client-side, i.e. . Since client-side support usually does not exist, supporting it on the server is useless.
  • Using SAML, that is SSO on application-level. This will be hard to impossible to implement since we don't have control of Thredds, ssh and ftp.
  • Using tomcat within apache (mod_jk, mod_proxy), having same security realm. This would be a good solution for SSO on the http-side (simply having one application), but might require extra care when setting up protection for one data-catalog, which can be seen from apache as up to 3 (eventually more) http-pathes (opendap, http, WCS).
  • .htaccess protection for all /upl/* pages
  • Registration and password changes outside /upl
  • Only username known to metamod $_SERVER{REMOTE_USER} after login, not institution/working directory. This information should be stored in another place.
  • each user should have a user-directory, where he can upload files via ftp
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
You could leave a comment if you were logged in.
  • metamod/security_plans.txt
  • Last modified: 2022-05-31 09:29:32
  • (external edit)