You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Use case

There is a small website of an index page, which has links to subpages.  Certain sections should only be seen by certain populations of the institution; either the part of the index page, or the underlying deep linked webpage.

Here is a blurred version of the index page, and a description of who has access to what:

Note: the site is written in PHP

Grouper setup

There are three levels of access.  Using permissions might be better, but since the site is PHP, and we only have groups and memberships in LDAP at Penn (not permissions), and we already have example code of PHP->LDAP, then we will just use group memberships to represent that access.

  • Create a new folder for the application:     site:apps:secureWebApp
  • Create the adhoc group: site:apps:secureWebApp:adHocGroup   (allow the client to edit the memberships (READ and UPDATE privileges), and give them the deep link URL to the lite membership UI:
  • Create the three groups for the access levels, and add members of the other groups in Grouper that can be reused.  Note, we add three new groups here to loosely couple and make things for flexible later on down the line:
    • site:apps:secureWebApp:facultyStaffStudents    (add as member)    site:community:facultyStaffStudents
    • site:apps:secureWebApp:facultyStaff     (add as member)     site:community:facultyStaff
    • site:apps:secureWebApp:orgAndAdHoc     (add as members)     site:community:employees:orgs:dept:whatever:org123       AND     site:apps:secureWebApp:adHocGroup
  • Our institution does WS authentication with kerberos principals and HTTP basic auth
    • Create the kerberos principal: secureWebApp_grouper/sever.site.edu
    • Add that kerberos principal to the kerberos subject table so it can be referenced as a subject from Grouper
    • Grant that kerberos principal access to LDAP (by adding to group: site:etc:ldapUsers), and grant READ to the three security groups: site:apps:secureWebApp:facultyStaffStudents, site:apps:secureWebApp:facultyStaff, site:apps:secureWebApp:orgAndAdHoc.  At our institution, our LDAP is secure, so that allows that Kerberos principal to READ the memberships in LDAP

PHP code

We need to check which of the groups the user is in.  We do not want to check this often, so we will store in PHP session, and if it is there, use it, if not, create it.  Have an include for each secure page:

grouperSession.php

sdf


  • No labels