Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/stormpath/stormpath-mod-authnz-external
Using Stormpath to secure the Apache web server
https://github.com/stormpath/stormpath-mod-authnz-external
Last synced: 24 days ago
JSON representation
Using Stormpath to secure the Apache web server
- Host: GitHub
- URL: https://github.com/stormpath/stormpath-mod-authnz-external
- Owner: stormpath
- License: apache-2.0
- Created: 2015-01-12T04:57:24.000Z (almost 10 years ago)
- Default Branch: master
- Last Pushed: 2017-03-06T23:57:23.000Z (almost 8 years ago)
- Last Synced: 2024-04-13T23:01:30.319Z (8 months ago)
- Language: Shell
- Size: 13.7 KB
- Stars: 5
- Watchers: 6
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
#Stormpath is Joining Okta
We are incredibly excited to announce that [Stormpath is joining forces with Okta](https://stormpath.com/blog/stormpaths-new-path?utm_source=github&utm_medium=readme&utm-campaign=okta-announcement). Please visit [the Migration FAQs](https://stormpath.com/oktaplusstormpath?utm_source=github&utm_medium=readme&utm-campaign=okta-announcement) for a detailed look at what this means for Stormpath users.We're available to answer all questions at [[email protected]](mailto:[email protected]).
# stormpath-mod-authnz-external
Use Stormpath to secure the Apache web server!
The instructions below are specific to Ubuntu/Debian, but the steps are mostly the same for \*nix installations (albeit with different commands - `yum` instead of `apt-get`, etc.).
1. Ensure Apache 2.4 or later is installed:
```bash
sudo apt-get install apache2
```
2. Ensure the Apache `mod_authnz_external` and `pwauth` modules are installed:```bash
sudo apt-get install libapache2-mod-authnz-external pwauth
```3. Ensure these modules are enabled:
```bash
sudo a2enmod authnz_external
sudo a2enmod pwauth
```4. Download the `stormpath.sh` shell script that will be executed by `mod_authnz_external` during a login attempt:
```bash
curl -O https://raw.githubusercontent.com/stormpath/stormpath-mod-authnz-external/master/stormpath.sh
```5. Ensure the downloaded file is executable by the apache2 system user (e.g. `www-data` on Ubuntu). You will also likely want to assign group ownership to the apache system user as well. For example:
```bash
sudo chgrp www-data stormpath.sh
chmod ug+x stormpath.sh
```6. Update your host (or virtual host) configuration to reference the `stormpath.sh` authentication script. For example, assuming a host `foo.com`:
```apache
ServerName foo.com
ServerAdmin [email protected]ErrorLog ${APACHE_LOG_DIR}/foo.com.error.log
CustomLog ${APACHE_LOG_DIR}/foo.com.access.log combinedDocumentRoot /var/www/vhosts/foo.com
DefineExternalAuth stormpath pipe "/PATH/TO/stormpath.sh /PATH/TO/YOUR/stormpath/apiKey.properties YOUR_STORMPATH_APPLICATION_HREF"
AuthType Basic
AuthName "Authenticated Users Only"
AuthBasicProvider external
AuthExternal stormpath
require valid-user
```where:
* `/PATH/TO/stormpath.sh` is the path on your local filesystem to the `stormpath.sh` file you downloaded
* `/PATH/TO/YOUR/stormpath/apiKey.properties` is the path on your local filesystem to your personal stormpath `apiKey.properties` file. This *must* begin with `/`, i.e. it must be a fully qualified path to a file on your operating system. It must also be readable by the apache system user (e.g. `www-data`)
* `YOUR_STORMPATH_APPLICATION_HREF` is the fully qualified `href` of your application record in Stormpath for which users must authenticate.In the above example, the `require valid-user` line ensures that only authenticated users of the referenced Stormpath application may access anything in the `/var/www/vhosts/foo.com/downloads` directory.
## Authorization via groups
In addition to authenticating the users, you can also require them to be in
a specific group or groups. To configure group membership check:1. Install the `jq` command line tool (needed to parse JSON responses):
```bash
sudo apt-get install jq
```2. Download the `stormpath-group.sh` shell script that will be executed by `mod_authnz_external` to check group membersip (also make sure it's owned by
and executable by the apache2 system user as in step 5 above):
```bash
curl -O https://raw.githubusercontent.com/stormpath/stormpath-mod-authnz-external/master/stormpath-group.sh
```3. Update your apache2 host configuration to reference the `stormpath-group.sh`
script for group membership checks. Assuming a configuration like the above,
extend it to something like:
```apache
ServerName foo.com
ServerAdmin [email protected]ErrorLog ${APACHE_LOG_DIR}/foo.com.error.log
CustomLog ${APACHE_LOG_DIR}/foo.com.access.log combinedDocumentRoot /var/www/vhosts/foo.com
DefineExternalAuth stormpath pipe "/PATH/TO/stormpath.sh /PATH/TO/YOUR/stormpath/apiKey.properties YOUR_STORMPATH_APPLICATION_HREF"
DefineExternalGroup stormpath pipe "/PATH/TO/stormpath-group.sh /PATH/TO/YOUR/stormpath/apiKey.properties USERNAME_OR_EMAIL ANY_OR_ALL"
AuthType Basic
AuthName "Authorized Users Only"
AuthBasicProvider external
AuthExternal stormpath
GroupExternal stormpath
require valid-user
require external-group YOUR_STORMPATH_GROUP_HREF
```where:
* `USERNAME_OR_EMAIL` is either `username` if your users are logging in using their username, or `email` if your users are logging in using their email
* `YOUR_STORMPATH_GROUP_HREF` is the fully qualified href of your Stormpath group record in which the user must be to be authorized, or a list of space-separeted group hrefs; note that this href (or list) must not be in double quotes.
* `ANY_OR_ALL` is an optional keyword and must be either `all` (the default if not specified), meaning the user must be a member of all listed groups, or `any`, meaning the user must be a member of at least one listed group.