Task Doms Auth system

Title
Doms Auth system

State
Not started

Time used

Time estimated

Description

The doms auth system is responsible for ensuring that no user can access files without sufficient credentials. Furthermore, no doms record should be viewable without the nessesary credentials. These are two different requirements.

  1. Auth check on bitstorage access
  2. Auth check on long post viewing

Bitstorage auth design

The design is as follows:

  1. Each file in bitstorage is assigned a permanent URL
  2. An Apache server is set up to handle these URLs
  3. This apache server has the nessesary rewrite filters set up to forward the request to a php application.

  4. Php application (Written by IT service)

    1. Extract Wayf credentials from the user. There might be no credentials, which is not yet an error.
    2. Extract the user IP (or domain), and set this as a user property

    3. Call the DomsAuth service with the permanent URL and the credentials if any (and the IP property), (Written by IT Digitale Ressourcer)

      1. Doms Auth lookup the corresponding file object in fedora, and attempts to read this with the supplied credentials. If succesful, true is returned. Else false.

    4. If the DomsAuth service gave false and the user had no WAYF credentials, redirect the user to a wayf login page.

    5. If the DomsAuth service gave false, but the user had WAYF credentials, report error.

    6. If the DomsAuth service gave true, stream the file through the php app to the user

      1. Stream app. This app streams the given file from whereever into the php script so the user can read it. (Written by IT Maintenance)

It can be seen that the php app will become a bottleneck. There are several designs that could work around this. Having several identical apache servers, and using a round robin dns would split the load.

Sub tasks

Title State Time used Time estimated

Documentation

Progress history

Iteration Time used Status Notes Tasks adressed