Most importantly, customers' administrators can add authentication
credentials that the Service Proxy will used on their behalf when
accessing subscription resources -- username/password pairs or proxies
-to use for IP-based authentication. Note that IT IS THEN CRUICIAL TO
-SECURE THE LIBRARY FROM USE BY UNAUTHORISED CLIENTS, otherwise the
+to use for IP-based authentication. Note that **it is then crucial to
+secure the library from use by unauthorised clients**, otherwise the
customer's paid subscriptions will be exploited.
Access to libraries is managed by creating one or more "User Access"
Setting up such a library is a process of several stages.
-Stage A: create the User Access account
+### Stage A: create the User Access account
Log in to MKAdmin administrate your library:
- - Go to http://mkc-admin.indexdata.com/console/
- - Enter the adminstrative username/password
- - Go to the User Access tab
- - Create an end-user account
- - Depending on what authentication method it be used, set the
- User Access account's username and password, or IP-address
- range, or referring URL, or hostname.
+
+* Go to http://mkc-admin.indexdata.com/console/
+* Enter the adminstrative username/password
+* Go to the User Access tab
+* Create an end-user account
+* Depending on what authentication method it be used, set the
+ User Access account's username and password, or IP-address range, or
+ referring URL, or hostname.
If your MWKS application runs at a well-known, permanent address --
http://yourname.com/app.html, say -- you can set the User Access
THAT THIS IS NOT SECURE, AS OTHER APPLICATIONS CAN USE THIS VIRTUAL
HOSTNAME TO GAIN ACCESS TO YOUR LIBRARY.
-### Authentication by IP address does not yet work correctly -- see
+TODO Authentication by IP address does not yet work correctly -- see
bug MKWS-234 ("Improve SP configuration/proxying for better
authentication").
uses Referring URL, and another that uses a username/password pair to
be used when running an application from a different URL.
-Stage B: tell the application to use the library
+### Stage B: tell the application to use the library
In the HTML of the application, tell MKWS to authenticate on to the
Service Proxy. When IP-based, referer-based or hostname-based
"//sp-mkws.indexdata.com/service-proxy/?command=auth&action=perconfig" };
</script>
-### This should be the default setting
+TODO This should be the default setting
And ensure that access to the MWKS application is from the correct
Referrer URL or IP-range.
-Stage C1 (optional): access by a different virtual hostname
+### Stage C1 (optional): access by a different virtual hostname
When hostname-based authentication is in use, it's necessary to access
the Service Proxy as the correctly named virtual host. This can be
URL containing that hostname, such as
//yourname.sp-mkws.indexdata.com/service-proxy/?command=auth&action=perconfig
-### It should be possible to change just the hostname without needing
+TODO It should be possible to change just the hostname without needing
to repeat the rest of the URL (protocol, path, query)
-### When changing the SP authentication URL, the Pazpar2 URL should in
+TODO When changing the SP authentication URL, the Pazpar2 URL should in
general change along with it.
-Stage C2 (optional): embed credentials for access to the library
+### Stage C2 (optional): embed credentials for access to the library
When credential-based authentication is in use (username and
password), it's necessary to pass these credentials into the Service
by setting the service_proxy_auth configuration item to a URL such as
//sp-mkws.indexdata.com/service-proxy/?command=auth&action=perconfig&username=mike&password=swordfish
-### It should be possible to add the username and password to the
+TODO It should be possible to add the username and password to the
configuration without needing to repeat the rest of the URL.
-Stage D (optional): conceal credentials from HTML source
+### Stage D (optional): conceal credentials from HTML source
Using a credential-based Service-Proxy authentication URL such as the
one above reveals the the credentials to public view -- to anyone who