Chapter 45. Apache Access Handler Perl Module
The OpenILS::WWW::AccessHandler Perl module is intended for limiting patron
access to configured locations in Apache. These locations could be folder
trees, static files, non-Evergreen dynamic content, or other Apache
features/modules. It is intended as a more patron-oriented and transparent
version of the OpenILS::WWW::Proxy and OpenILS::WWW:Proxy::Authen modules.
Instead of using Basic Authentication the AccessHandler module instead redirects
to the OPAC for login. Once logged in additional checks can be performed, based
on configured variables:
-
Permission Checks (at Home OU or specified location)
-
Home OU Checks (Org Unit or Descendant)
-
"Good standing" Checks (Not Inactive or Barred)
Use of the module is a simple addition to a Location block in Apache:
<Location /path/to/be/protected>
PerlAccessHandler OpenILS::WWW::AccessHandler
# For each option you wish to set:
PerlSetVar OPTION "VALUE"
</Location>
The available options are:
-
OILSAccessHandlerLoginURL
-
Default: /eg/opac/login
-
The page to redirect to when Login is needed
-
OILSAccessHandlerLoginURLRedirectVar
-
Default: redirect_to
-
The variable the login page wants the "destination" URL stored in
-
OILSAccessHandlerFailURL
-
Default: <unset>
-
URL to go to if Permission, Good Standing, or Home OU checks fail. If not set
a 403 error is generated instead. To customize the 403 you could use an
ErrorDocument statement.
-
OILSAccessHandlerCheckOU
-
Default: <User Home OU>
-
Org Unit to check Permissions at and/or to load Referrer from. Can be a
shortname or an ID.
-
OILSAccessHandlerPermission
-
Default: <unset>
-
Permission, or comma- or space-delimited set of permissions, the user must have to
access the protected area.
-
OILSAccessHandlerGoodStanding
-
Default: 0
-
If set to a true value the user must be both Active and not Barred.
-
OILSAccessHandlerHomeOU
-
Default: <unset>
-
An Org Unit, or comma- or space-delimited set of Org Units, that the user’s Home OU must
be equal to or a descendant of to access this resource. Can be set to
shortnames or IDs.
-
OILSAccessHandlerReferrerSetting
-
Default: <unset>
-
Library Setting to pull a forced referrer string out of, if set.
As the AccessHandler module does not actually serve the content it is
protecting, but instead merely hands control back to Apache when it is done
authenticating, you can protect almost anything else you can serve with Apache.
The general use of this module is "protect access to something else" - what that
something else is will vary. Some possibilities:
Apache features
-
Automatic Directory Indexes
Proxies (see below)
-
Electronic Databases
-
Software on other servers/ports
Non-Evergreen software
-
Timekeeping software for staff
-
Specialized patron request packages
Static files and folders
-
Semi-public Patron resources
-
Staff-only downloads