EF Portal + auth header

Overview

If you want to use third authentication system instead of use EnginFrame Portal to authenticate the users, you can configure a trusted proxy that will send the user, after successful login, to EnginFrame portal.

Requirements

  • A third service that can authenticate your user.
  • Apache module that can ask the third service to approve the user.
  • Apache virtualhost that will forward the approved username and the traffic to EF Portal using AJP connector

Architecture

  1. The user will access specific page of Apache.
  2. It wil login using any supported module by Apache (for example, mod_auth_mellon) to connect into IDP server (like Keycloak, EntraID etc).
  3. Then, if approved, the user traffic will be forwared to EF Portal through Apache with the header X-Authenticated-User containing the username.

Note: Apache can be replaced by any other proxy software (nginx, haproxy etc) that is capable to set the X-Authenticated-User and can forward http/https traffic.

Configuring

As example we will use Apache as a authenticator authority, but remember that you can use any external tool that can integrate with Apache.

Install Apache service and then setup this VirtualHost:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName efportal.mydomain.com

    # Enable the proxy engine to handle SSL backends
    SSLProxyEngine On
    # Ignore SSL certificate verification for the backend
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off

    # Preserve the original host header
    ProxyPreserveHost On

    <Location "/enginframe">
        AuthType Basic
        AuthName "Restricted Area"
        AuthUserFile /etc/httpd/.htpasswd
        Require valid-user
        ProxyPass ajp://localhost:8009/enginframe flushpackets=on
        ProxyPassReverse ajp://localhost:8009/enginframe
    </Location>

    # SSL Certificate configuration
    SSLCertificateFile /etc/letsencrypt/live/efportal.mydomain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/efportal.mydomain.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Note: Adapt efportal.mydomain.com and SSL parameters to your configuration.

Create a user and a password to test the login:

htpasswd -c /etc/httpd/.htpasswd efadmin

Then edit the file /opt/nisp/enginframe/conf/tomcat/conf/server.xml and add this connector:

    <Connector protocol="AJP/1.3"
               address="127.0.0.1"
               port="8009"
               redirectPort="8443"
               tomcatAuthentication="false"
               secretRequired="false"
               />

Find the connector that is enabled by default (usually listening 8443 port) and add address=”127.0.0.1″ into the connector:

<Connector address="127.0.0.1" port="8443" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/certs/ef.tomcat.keystore" keystorePass="533f7be99cd35eb4e41a6d1161799d3aba916f43" server="Apache" URIEncoding="utf-8"
        />

This is important because EF Portal will accept the username sent by Apache, so you need to make sure that no one can connect directly into EF Portal Tomcat server.

Now edit the file /opt/nisp/enginframe/conf/tomcat/conf/context.xml and after the following line

<Context>

add:

<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />

Finally, edit the file /opt/nisp/enginframe/2024.1-r1874/enginframe/conf/server.conf and set:

EF_HTTP_AUTHENTICATION=true

Restart Apache and the Tomcat server to apply the configuration.

systemctl restart httpd enginframe