Tamino security

Hello!

I’ve created a group, an user and an acl list.In the acl list I’ve specified that for one of my doctypes acces is “no”.

Well I have no idea how is anything changed since
someone can use http to acces and delete my XMLs.
How can I specify that only a group or a user has “full” acces and nobody else doesn’t?

How can I use the Client API for Java to use the Tamino DB’s doctypes only if have the needed userID?

Please help.

Hi,

have you setup your webserver to authenticate access to the /tamino virtual directory? With Apache’s httpd.conf file, your <location /tamino> section needs a few words added.

When your server athentificates users accessing /tamino, you can setup usergroups with acls which explicitly prohibit access to a doctype.

Hope this helps,

Andreas

In the Tamino documentation it mentions the following in the “Tamino Security” chapter:

"Undefined users are automatically members of a default group that has the same name as the database."

This group is not defined by default and so it must be added manually. It is therefore possible to say that this group has no access to the documents but selective groups (and therefore selective users) have.

Further down in the same chapter there is a heading called “Protecting ino:security” which should provide some hints for you.

Thank you for help!

Here is the situation:

1.I have not modified httpd.conf of Apache which I’m using with Tamino because I don’t Know what to add. For example can you tell what should I add in that file if I want that a user (userID=rapo) from group friends(groupID=friends) with an acl (aclID= friendsAcl) to have only “read” acces to an existing doctype “rockers” ?

2.I’ve created a group named 2nd (my db url is http://localhost/tamino/2nd) and a acl for that group where I’ve set “read” acces for a doctype but I still can use Tamino Interactive Interface to delete XMLs of that doctype!

Hi,

make your <Location /tamino> entry in httpd.conf look something like this, and make yourself familiar with the authorization system of apache. Look at tutorials at apache.org!

<Location /tamino>
SetHandler ino
AuthType Basic
AuthName tamino
AuthUserFile <>
require valid user

Please be aware that this restricts access to the path http://yourserver/tamino , meaning that anyone who accesses resources below the /tamino path must authenticate himself. User / password combination is stored in the AuthUserFile, which you can create using apache utilities. The username is then forwarded to Tamino by the webserver. I strongly recommend you go through the Apache tutorials on this topic!

Best regards, Andreas

Hi,

I want do something like this (using Security Manager):

<ino:user ino:userid=“ivan”>Tamino Administrator</ino:user>

<ino:group ino:groupname=“admtamino”>
ino:userrefivan</ino:userref>
ino:aclrefadminacl</ino:aclref>
</ino:group>
<ino:group ino:groupname=“pruebas”>
ino:aclrefpruebasacl</ino:aclref>
</ino:group>

<ino:acl ino:aclname=“adminacl”>
<ino:ace ino:access=“full”>personas</ino:ace>
</ino:acl>
<ino:acl ino:aclname=“pruebasacl”>
<ino:ace ino:access=“no”>personas</ino:ace>
</ino:acl>

where “personas” is a collection.

When I try to create the second ACE I receive this error message:

"access control element does already exist in access control list"

I’ve seen a example like this in the documentation.

Thanks.

Hi,

this same behaviour bugged me, too. It helps to define an ACE on another access path first, and the one you really want second. Then you can delete the first ACE. I don’t know what the message you get is about. Maybe we shouldn’t worry?!

Best regards, Andreas

Hi!
When you’ve defined your tamino security using the system Management Hub, how do you check if what you’ve done (restriction to a certain node) are working or not?
Do you use the Tamino Interactive Interface?

chomichomi

Hi Andreas thank you also for the advise you gave, on how to authenticate users using apache. I’ve already did the setup on web server authentication on the apache httpd.confg. I’ve looked at the apache utilities and I don’t understand how to create the passwd file using htpasswd.exe. would you please explain it to me on how you’ll go about creating the passwd file.

Regards

chomichomi

Hi!
I’ve bee doing the Tamino Security and I’ve setup the web server authentication and I just finished creating the username and passwd file(AuthUserFile). Now I have a problem cause everytime I access restricted sites and enter the username and passwd that I’ve defined in the AuthUserFile I get the Authorisation Required error.
I need your help thank you!

chomichomi

Hi Ivan,

We had this problem too and we solved it installing Tamino v2.3.1.4. The customer was using v2.3.1.1.

Regards
Ito