University of Washington   ITI-CP Security Middleware

module mod_auth_location

Description: Provides location-based authentication to allow otherwise unauthorized browser users to access restricted pages from previously identified browser locations.
Module Identifier:auth_location_module

Summary

Directives

Topics

top

AuthLocationDefineLocation Directive

Description:Identifies browsers by location
Syntax:AuthLocationDefineLocation location ip_list
Context:server config, virtual host, directory, .htaccess
Override:none

AuthLocationDefineLocation Associates "location_name" with browsers whose ip addresses are in the list. The directive may be repeated to define several locations.

Examples

AuthLocationDefineLocation suzzalo 128.99.135.1-99
AuthLocationDefineLocation atmos 128.99.121.* 128.99.141.55

top

AuthLocationDefineApplication Directive

Description:Identifies applications
Syntax:AuthLocationDefineApplication app_name string URL|QS
Context:server config, virtual host, directory, .htaccess
Override:none

AuthLocationDefineApplication Associates "app_name" with any request that contains a string match with the specified string. The either the URL host and path (URL or the query string (QS) will be searched for the string.

You must specify the string exactly as it will appear in the URL or query string. A colon, for example, usually appears as "%3A". Check your server's access log if you're not sure.

Examples

AuthLocationDefineApplication bookstore UniversityBookstore URL

top

AuthLocationPermitAnonymous Directive

Description:Allows anonymous authentication for a particular application and location
Syntax:AuthLocationPermitAnonymous application location anonymous_id chooser_page
Context:server config, virtual host, directory, .htaccess
Override:none

AuthLocationDefineLocation Permits anonymous access to the specified application if the browser is from the specified location. The chooser page will be shown to the browser user. It must contain one link with the special text "{GUEST_YES}" which will authenticate the user as "anonymous_id". It must contain one link with the special text "{GUEST_NO}" which will authenticate the user in the normal way - however authentication is otherwise configured.

A simple chooser, used if you omit the chooser_page parameter, is: 

      <html>
      <a href="{GUEST_YES}">Be a guest</a>
      <p>
      <a href="{GUEST_NO}">Be yourself</a>
      </html>

Examples

AuthLocationPermitAnonymous bookstore suzzalo store_guest bks_anon.html

top

AuthLocationRequireAnonymous Directive

Description:Requires anonymous authentication for an application and location
Syntax:AuthLocationRequireAnonymousapplication location anonymous_id
Context:server config, virtual host, directory, .htaccess
Override:none

AuthLocationRequireAnonymous Requires anonymous access to the specified application if the browser is from the specified location. The remote user is always identified as anonymous id.

Examples

AuthLocationRequireAnonymous bookstore suzzalo_kiosk store_guest

top

Shibboleth example

EncyclopaediaGalactica.com contracts with the University Library to provide online service to University members and any other people physically in the library.

  1. EncyclopaediaGalactica provides a shib'd web target for these services.

    • url = http://EncyclopaediaGalactica.com/
    • shib provider_id = urn:mace:galactica

  2. The Library identifies its kiosk systems by ip range:

    • kiosk ip: 128.95.100.1 - 128.95.100.55

  3. The University's shib origin's HS includes the following apache directives:

    • AuthLocationDefineLocation suzzalo 128.95.100.1-55
    • AuthLocationDefineApplication eg provider_id=urn:mace:galactica QS
    • AuthLocationRequireAnonymous eg suzzalo eg_anon

  4. The University's ldap service used by the shib AA includes the entry

    • dn: cn=eg_anon,ou=UWNetID,dc=u,dc=washington,dc=edu
    • edupersonaffiliation: LibraryPatron

With these settings, a request from one of the kiosk browsers to the EncyclopaediaGalactica website would be automatically logged in as "eg_anon" and authorized as a patron.

The browser user:

  1. Types "http://EncyclopaediaGalactica.com/"

  2. Sees "Welcome to Encyclopaedia Galactica", or watever.

Because of the "AuthLocationRequireAnonymous" the browser user was never asked for an id or password.