[Archivesspace_Users_Group] HTTPS for login/staff interface

Cory Nimer cory_nimer at byu.edu
Tue Nov 19 11:10:45 EST 2013


As we have been getting LDAP set up for our local ArchivesSpace instance, our IT staff have raised a number of questions about the security of the login process, as well as the use of the staff interface. I have included portions of their comments below:

Forwarded message:

On Friday, November 15, 2013 at 10:25 AM, David Brownell wrote:

Subject: RE: archivesspace and ldap and SSL
archivesspace doesn't proxy nicely so it's nearly impossible to secure. I think it is still possible to proxy if it has its own IP address but DS1 [our web application server] already has 4 and I'm not sure I'm willing to do that for this.  It makes the whole thing less maintainable.

It needs to be at the path's root because it does things like send you to /login. So I can't have it be /archivesspace (because it doesn't send you to /archivesspace/login).  I have not seen any way to change the path of the thing, so that I can have it live on /archivesspace/blah.  Do you know of a way to change that?  I messed with the config.rb frontend_url but it's NOT a URL, it's only looking at the host and port.  Not the path!

That said, I can work on LDAP authentication, but without a means of a secure connection, I don't want to do that and expose peoples password in plaintext.

What are your thoughts?

P.S. When I say "context" I mean the stuff after the server.  For example, If I gave a url  -- http://ds1.lib.byu.edu:9080/blah -- /blah would be the context.

________________________________

Sent: Monday, November 18, 2013 9:37 AM

I don't know of a way to change it so it can live on /archivespace/blah. I think the url structure is pretty well baked in. It sounds like we might need to have a dedicated IP address. It doesn't necessarily need to live on DS1, if that helps.
________________________________

Date: Monday, November 18, 2013 at 9:53:13 AM
It's really, really important that HTTP-listening applications that accept a password have the ability to do HTTPS.  archivesspace needs to have the ability to listen on HTTPS with the ability to use a signed certificate for the communication.

Are there configuration options for making the login/staff interface available over HTTPS? Is this something that is expected to change in future versions of the software? And how should we advise our IT staff on setting this up on the server?

Thanks for your guidance,

Cory Nimer
Manuscripts Cataloger/Metadata Specialist
Brigham Young University
1108 HBLL
(801) 422-6091

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lyralists.lyrasis.org/pipermail/archivesspace_users_group/attachments/20131119/78da4734/attachment.html>


More information about the Archivesspace_Users_Group mailing list