Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/stormpath/stormpath-mod-authnz-external

Using Stormpath to secure the Apache web server
https://github.com/stormpath/stormpath-mod-authnz-external

Last synced: 24 days ago
JSON representation

Using Stormpath to secure the Apache web server

Awesome Lists containing this project

README

        

#Stormpath is Joining Okta
We are incredibly excited to announce that [Stormpath is joining forces with Okta](https://stormpath.com/blog/stormpaths-new-path?utm_source=github&utm_medium=readme&utm-campaign=okta-announcement). Please visit [the Migration FAQs](https://stormpath.com/oktaplusstormpath?utm_source=github&utm_medium=readme&utm-campaign=okta-announcement) for a detailed look at what this means for Stormpath users.

We're available to answer all questions at [[email protected]](mailto:[email protected]).

# stormpath-mod-authnz-external

Use Stormpath to secure the Apache web server!

The instructions below are specific to Ubuntu/Debian, but the steps are mostly the same for \*nix installations (albeit with different commands - `yum` instead of `apt-get`, etc.).

1. Ensure Apache 2.4 or later is installed:

```bash
sudo apt-get install apache2
```
2. Ensure the Apache `mod_authnz_external` and `pwauth` modules are installed:

```bash
sudo apt-get install libapache2-mod-authnz-external pwauth
```

3. Ensure these modules are enabled:

```bash
sudo a2enmod authnz_external
sudo a2enmod pwauth
```

4. Download the `stormpath.sh` shell script that will be executed by `mod_authnz_external` during a login attempt:

```bash
curl -O https://raw.githubusercontent.com/stormpath/stormpath-mod-authnz-external/master/stormpath.sh
```

5. Ensure the downloaded file is executable by the apache2 system user (e.g. `www-data` on Ubuntu). You will also likely want to assign group ownership to the apache system user as well. For example:

```bash
sudo chgrp www-data stormpath.sh
chmod ug+x stormpath.sh
```

6. Update your host (or virtual host) configuration to reference the `stormpath.sh` authentication script. For example, assuming a host `foo.com`:

```apache

ServerName foo.com
ServerAdmin [email protected]

ErrorLog ${APACHE_LOG_DIR}/foo.com.error.log
CustomLog ${APACHE_LOG_DIR}/foo.com.access.log combined

DocumentRoot /var/www/vhosts/foo.com

DefineExternalAuth stormpath pipe "/PATH/TO/stormpath.sh /PATH/TO/YOUR/stormpath/apiKey.properties YOUR_STORMPATH_APPLICATION_HREF"


AuthType Basic
AuthName "Authenticated Users Only"
AuthBasicProvider external
AuthExternal stormpath
require valid-user


```

where:

* `/PATH/TO/stormpath.sh` is the path on your local filesystem to the `stormpath.sh` file you downloaded
* `/PATH/TO/YOUR/stormpath/apiKey.properties` is the path on your local filesystem to your personal stormpath `apiKey.properties` file. This *must* begin with `/`, i.e. it must be a fully qualified path to a file on your operating system. It must also be readable by the apache system user (e.g. `www-data`)
* `YOUR_STORMPATH_APPLICATION_HREF` is the fully qualified `href` of your application record in Stormpath for which users must authenticate.

In the above example, the `require valid-user` line ensures that only authenticated users of the referenced Stormpath application may access anything in the `/var/www/vhosts/foo.com/downloads` directory.

## Authorization via groups

In addition to authenticating the users, you can also require them to be in
a specific group or groups. To configure group membership check:

1. Install the `jq` command line tool (needed to parse JSON responses):

```bash
sudo apt-get install jq
```

2. Download the `stormpath-group.sh` shell script that will be executed by `mod_authnz_external` to check group membersip (also make sure it's owned by
and executable by the apache2 system user as in step 5 above):
```bash
curl -O https://raw.githubusercontent.com/stormpath/stormpath-mod-authnz-external/master/stormpath-group.sh
```

3. Update your apache2 host configuration to reference the `stormpath-group.sh`
script for group membership checks. Assuming a configuration like the above,
extend it to something like:
```apache

ServerName foo.com
ServerAdmin [email protected]

ErrorLog ${APACHE_LOG_DIR}/foo.com.error.log
CustomLog ${APACHE_LOG_DIR}/foo.com.access.log combined

DocumentRoot /var/www/vhosts/foo.com

DefineExternalAuth stormpath pipe "/PATH/TO/stormpath.sh /PATH/TO/YOUR/stormpath/apiKey.properties YOUR_STORMPATH_APPLICATION_HREF"
DefineExternalGroup stormpath pipe "/PATH/TO/stormpath-group.sh /PATH/TO/YOUR/stormpath/apiKey.properties USERNAME_OR_EMAIL ANY_OR_ALL"


AuthType Basic
AuthName "Authorized Users Only"
AuthBasicProvider external
AuthExternal stormpath
GroupExternal stormpath

require valid-user
require external-group YOUR_STORMPATH_GROUP_HREF


```

where:

* `USERNAME_OR_EMAIL` is either `username` if your users are logging in using their username, or `email` if your users are logging in using their email
* `YOUR_STORMPATH_GROUP_HREF` is the fully qualified href of your Stormpath group record in which the user must be to be authorized, or a list of space-separeted group hrefs; note that this href (or list) must not be in double quotes.
* `ANY_OR_ALL` is an optional keyword and must be either `all` (the default if not specified), meaning the user must be a member of all listed groups, or `any`, meaning the user must be a member of at least one listed group.