This page last changed on Nov 30, 2010 by ahempel.
Crowd provides a number of modules that allow you to configure Crowd to authenticate HTTP Basic Authentication requests made to an Apache web server.
The following features are supported:
- Authentication: Use Crowd to password-protect resources on your website.
- Authorisation: Configure website locations to restrict access to specific Crowd groups or users.
Note: These instructions assume some UNIX system and Apache configuration knowledge.
On this page:
Prerequisites
Download and configure Crowd. Refer to the Crowd installation guide for detailed information on how to do this.
Step 1. Disabling any Previous Version of the Crowd Apache Connector
If you are upgrading from a previous version of the Connector, you must disable it by following these instructions before proceeding.
Step 2. Configuring Crowd to Talk to Apache
 | If you are upgrading from an earlier version of the Apache Connector, you will have already completed this step and you can skip it. |
Crowd needs to be aware that Apache will be making authentication requests to Crowd. In brief, you will need to do the following:
- Define Apache as a Crowd-connected application to Crowd.
- Add and configure the directories visible to Apache.
- Add and map the groups which are allowed to authenticate with Apache.
Step 3. Installing the Crowd Apache Connector Packages
The installation procedures for Apache and the Crowd Apache connector vary depending on the operating system you are using. Use the links below to find installation instructions for your chosen operating system. If you have not chosen an operating system yet, you will probably find one of the Linux variants easiest to set up.
Step 4. Configuring Authentication
In this section, you will tell Apache to use Crowd to authenticate requests for a particular location. Edit the Apache config file and add the following commands to a <Location> or <Directory> section.
This is the minimum configuration required to password-protect a location with Crowd.
Command |
Explanation |
|
See the Apache documentation for the format of the <Directory> and <Location> directives. We have used the directory path of /var/mysite/ as the simplest example. You may substitute your own directory path here. |
AuthName "Atlassian Crowd" |
Defines the realm of the authentication. This information is typically provided to the user in the dialogue box popped up by their browser. This must be a unique name for each Crowd application |
AuthType Basic |
Tells Apache to use HTTP Basic authentication. HTTP Digest authentication is not currently supported. |
AuthBasicProvider crowd |
Tells Apache to delegate authentication to the Apache Crowd connector. |
CrowdAppName myappname |
Set 'myappname' to the application Apache should authenticate as. |
CrowdAppPassword mypassword |
Set 'mypassword' to the password for the application. |
|
The URL of the Crowd server. |
Require valid-user |
Tells Apache that clients must provide a valid username/password to access the location. |
The following configuration commands are optional, and can be used to customise your configuration further:
Command |
Explanation |
Default |
CrowdAcceptSSO Off |
When set to 'On', the Apache Crowd connector will attempt to validate single sign-on (SSO) tokens provided in requests, avoiding the need for the user to log in if they have already logged in to another application. |
On |
CrowdCreateSSO Off |
When set to 'On', the Apache Crowd connector will create a single sign-on (SSO) token whenever a user successfully authenticates, avoiding the need for the user to log in to other applications. |
On |
CrowdBasicAuthEncoding ISO-8859-1 UTF-8 |
Sets the list of character encoding schemes that the Apache Crowd connector will use to decode usernames and passwords. Each is tried in turn, until authentication succeeds. This setting may need to be changed if you have users with non-ASCII characters in their usernames or passwords, as browsers differ in the encoding schemes they use. Note that when an authentication attempt fails with one or more encodings before succeeding with another, the failures may still be counted and logged as failures by the directory. |
ISO-8859-1 |
CrowdTimeout 5 |
The maximum number of seconds that the Apache Crowd connector should wait for a response from Crowd. If set to 0, the connector will wait indefinitely. |
0 |
CrowdCacheMaxAge 120 |
The maximum number of seconds that a response from Crowd will be cached by the Apache Crowd connector. |
60 |
CrowdCacheMaxEntries 1000 |
The maximum number of entries cached at any time by the Apache Crowd connector. If set to 0, caching is disabled. |
500 |
For more detail about Apache configuration, please refer to the Apache documentation.
Step 5. Configuring Authorisation
If you want to restrict access to a certain Apache <Directory> or <Location>, so that only a subset of Crowd users and/or groups have permissions, add the following lines to your configuration:
Note that you must also remove any Require valid-user command from this <Directory> or <Location> for the new restrictions to take effect.
Command |
Explanation |
Require user johnh kevinr |
Allow the users johnh or kevinr to access the location. |
Require group developers crowd-administrators |
Allow members of the developers or crowd-administrators groups to access the location. |
If you have configured authorisation providers in addition to the Crowd Apache connector, you may need to add the following optional setting:
Command |
Explanation |
Default |
AuthzCrowdAuthoritative Off |
When set to 'On', authorisation decisions made by Crowd are final. When set to 'Off', they may be overruled by other Apache authorisation providers. |
On |
Step 6. Configuring Subversion (Optional)
If you are using Subversion under Apache, Crowd's Subversion connector allows you to password-protect a Subversion repository and provide fine-grained access control by group or user.
Follow the instructions on integrating Crowd with Subversion.
Notes
RELATED TOPICS
Crowd Documentation
|