[Dspace-tech] Restricting Bitstream Access Based on IP-Range
I can't find anything on this in the DSpace site or wiki, and I think this may not be possible, but is anyone aware of a way, without using a proxy server, to block access to the bitstream of an object based on an IP range, rather than group membership? We have some objects that we want to make accessible to anyone on-campus, using our campus IP scheme, but not off-campus. I'm aware that this is not an air-tight way of preventing the public from accessing the bitstream, and we're OK with that. It is fine with us if the object's metadata is available from any IP address; the only thing we would like to prevent is off-campus access to the bitstream. Thanks in advance for any help on this one... -- Stacy Pennington Rhodes College penning...@rhodes.edu (901) 843-3968 -- Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
Re: [Dspace-tech] Restricting Bitstream Access Based on IP-Range
Hello Stacy, this is not directly configurable, but you can achieve it by a combination of IP-based authentication and the standard DSpace resource policies. Create an IP based group for the members of your university and a resource policy that restricts the bitstream access to members of that group. During ingest the item and its bitstream(s) derive their resource policies from the DEFAULT_ITEM_READ and DEFAULT_BITSTREAM_READ. So setting DEFAULT_BITSTREAM_READ to the group which includes your university members will restrict the access of the newly ingested bitstreams to this group. For bitstreams in already ingested items you got to use the advanced policy tool to change the resource policies. Hope that helps Claudia Jürgen I can't find anything on this in the DSpace site or wiki, and I think this may not be possible, but is anyone aware of a way, without using a proxy server, to block access to the bitstream of an object based on an IP range, rather than group membership? We have some objects that we want to make accessible to anyone on-campus, using our campus IP scheme, but not off-campus. I'm aware that this is not an air-tight way of preventing the public from accessing the bitstream, and we're OK with that. It is fine with us if the object's metadata is available from any IP address; the only thing we would like to prevent is off-campus access to the bitstream. Thanks in advance for any help on this one... -- Stacy Pennington Rhodes College penning...@rhodes.edu (901) 843-3968 -- Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech -- Claudia Jürgen Eldorado - Repositorium der TU Dortmund Universitätsbibliothek Dortmund Vogeplothsweg 76 D-44227 Dortmund Tel.: 0049-231-755-4043 -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
Re: [Dspace-tech] Restricting Bitstream Access Based on IP-Range
Thanks! That is exactly what I needed to know. I had never noticed the IP authentication options before in the dspace.cfg or admin guide. So, I'm assuming that, if I have a DSpace group in my repository called RHODES and I wanted to assign any 10.x.x.x IP addresses to that group, I would enable IP auth in the stackable authentication and then use this line in dspace.cfg to let DSpace know to put anyone from the 10.x.x.x range into that group, unless they otherwise authenticate as a LDAP user (LDAP comes first in our stackable auth list): authentication.ip.RHODES = 10 Correct? -- Stacy Pennington Rhodes College penning...@rhodes.edu (901) 843-3968 -Original Message- From: Claudia Juergen [mailto:claudia.juer...@ub.tu-dortmund.de] Sent: Monday, January 25, 2010 1:08 PM To: Pennington_Stacy Cc: dspace-tech@lists.sourceforge.net Subject: Re: [Dspace-tech] Restricting Bitstream Access Based on IP-Range Hello Stacy, this is not directly configurable, but you can achieve it by a combination of IP-based authentication and the standard DSpace resource policies. Create an IP based group for the members of your university and a resource policy that restricts the bitstream access to members of that group. During ingest the item and its bitstream(s) derive their resource policies from the DEFAULT_ITEM_READ and DEFAULT_BITSTREAM_READ. So setting DEFAULT_BITSTREAM_READ to the group which includes your university members will restrict the access of the newly ingested bitstreams to this group. For bitstreams in already ingested items you got to use the advanced policy tool to change the resource policies. Hope that helps Claudia Jürgen I can't find anything on this in the DSpace site or wiki, and I think this may not be possible, but is anyone aware of a way, without using a proxy server, to block access to the bitstream of an object based on an IP range, rather than group membership? We have some objects that we want to make accessible to anyone on-campus, using our campus IP scheme, but not off-campus. I'm aware that this is not an air-tight way of preventing the public from accessing the bitstream, and we're OK with that. It is fine with us if the object's metadata is available from any IP address; the only thing we would like to prevent is off-campus access to the bitstream. Thanks in advance for any help on this one... -- Stacy Pennington Rhodes College penning...@rhodes.edu (901) 843-3968 -- Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech -- Claudia Jürgen Eldorado - Repositorium der TU Dortmund Universitätsbibliothek Dortmund Vogeplothsweg 76 D-44227 Dortmund Tel.: 0049-231-755-4043 -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech