Login-Only Repository

From EPrints Documentation
Revision as of 10:56, 25 April 2025 by Drn@ecs.soton.ac.uk (talk | contribs) (EPrints 3.4 and above)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

* * * MODIFIED APRIL 2025 TO ADD INSTRUCTIONS ON USING EPRINTS CONFIGURATION UPDATE EXISTING INSTRUCTIONS FOR USER WITH APACHE 2.4.x * * *

This instructions tell you how to configure your repository so that even search and view pages and potentially even static pages require a valid username/password.

The /images and /style directories are deliberately unsecured, so that you can explicitly always view the files in them (you need the CSS + images to render the login page!)

This even secures things like the OAI interface, and registration. So you'll probably want to disable web-based registration in favour of importing users or creating them with an admin account.

EPrints 3.4 and above

Set the following configurations settings in a configuration file under your archive's cfg/cfg.d/ directory (e.g. zz_login_required.pl). 

$c->{login_required_for_cgi}->{enable} = 1;
$c->{login_required_for_eprints}->{enable} = 1;
$c->{login_required_for_views}->{enable} = 1; 
$c->{login_required_for_cgi}->{exceptions} = [ "users/login", "handle_404" ];
$c->{login_required_url} = "/cgi/users/login";

This configuration will block all access to publication abstract/summary pages and their documents, browse view pages and any CGI script pages, such as search, export, etc. It will still allow users to access a login page, so if they do have an account they can login. In the configuration above, it is assumed that users will be authenticated locally. If institutions single sign-on (e.g. Shibboleth is being used then "users/login" can be removed from the exceptions and login_required_url should be updated appropriately. The "handle_404" exception is not essential but it saves a user having to login to find a page does not actually exist, which may be preferable or may be a security concern if they can see a page does not exist without logging in. You may want to add additional CGI scripts to exceptions such as "reset_password" and "confirm" to support password resets or "register" to allow visitors to register for user accounts.

The above configuration does not prevent access to static pages like the home, about, policies, etc. If these need authentication as well, then similar configuration as describe fore EPrints 3.3 and older described below will need to be added to the HTTPS and also possibly HTTP Apache virtualhost configuration.

From EPrints 3.4.7+ there will be additional configuration options for static pages. The following two lines of configuration will allow all but the homepage (and its resources, based on a vanilla installation) to be restricted behind a login: 

$c->{login_required_for_static}->{enable} = 1;
$c->{login_required_for_static}->{exceptions} = [ "/", "/favicon.ico", "/images/.*", "/style/images/.*" ];

EPrints 3.3 and older

HTTP-only Repository Archive

1. In archives/ARCHIVEID/cfg/lang/en/static/ rename index.xpage to home.xpage.

2. Generate static pages to create the file home.html amongst others. 

EPRINTS_PATH/bin/generate_static ARCHIVEID

3. Add the following to archives/ARCHIVEID/cfg/apachevhost.conf. (Be sure to substitute EPRINTS_PATH, ARCHIVEID and HOSTNAME as appropriate): 

 <Location "">
   AuthName "Documents Area"
   AuthType "Basic"
   PerlAuthenHandler EPrints::Apache::Auth::authen
   PerlAuthzHandler EPrints::Apache::Auth::authz
   require valid-user
 </Location>

 <Directory "EPRINTS_PATH/archives/ARCHIVEID/html/en/images">
  require all granted
 </Directory>

 <Directory "EPRINTS_PATH/archives/ARCHIVEID/html/en/style">
   require all granted
 </Directory>

 <Location "/cgi/reset_password">
   require all granted
 </Location>

 <Location "/cgi/confirm">
   require all granted
 </Location>

 <LocationMatch "^/$">
   Redirect / http://HOSTNAME/cgi/users/login?target=/home.html
 </LocationMatch>

4. If you did not already have an archives/ARCHIVEID/cfg/apachevhost.conf then run the following to make sure it is included in your Apache configuration: 

EPRINTS_PATH/bin/generate_apacheconf --system --replace

5. Restart Apache.

HTTPS-only or HTTP and HTTPS Repository Archive

TO BE WRITTEN

Allowing a few things without a password...

If you need to make any other directories available without a password, say the javascript directory, copy the directory directive for the images directory and tweak it: 

 <Directory "EPRINTS_PATH/archives/ARCHIVEID/html/en/javascript">
   require all granted
 </Directory>

If you need to make a single file public, for example the RSS/Atom feeds for latest publications, use the following: 

 <Files "latest_tool">
   require all granted
 </Files>
Retrieved from ‘https://wiki.eprints.org/w/index.php?title=Login-Only_Repository&oldid=16763