IP Authentication (college and university access) IP Authentication (college and university access)
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

IP Authentication (college and university access)

Started by newguess, March 20, 2011, 05:53:14 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

newguess

This is meant for general discussion board, but I cannot post there.

I am looking at using Coppermine Gallery for a subscription website for colleges and universities. The issue I am facing now is that colleges use IP authentication. It is the standard method of granting colleges/universities access to content. The reason that IP authentication is used is because it would be impossible and daunting to create an individual user account for each student and faculty at the college given that some schools have 5,000 plus students. IP authentication is used as a way of providing access to online content to a large groups of people.

The way IP authentication works is that an account is created for the college administrator on the website. The IP address or range of the college is then mapped to the administrator's user account. By map, I mean that the website webmaster can choose two ways to authenticate access for the college. They can authenticate access via domain OR by IP address (or IP range). This IP authentication feature is already built in Open Journal System, which is used for peer-reviewed journals.

Students at that college do not need to create an individual account or login to the website as long as they are logged into their college network. For example, students at library can access the materials after they have logged into any of their college computers in the library or the lab. Now, if the student is off-campus and want to access the contents of the website, they need to login to their college network before they can get access to read the contents of the website.

Is there a possibility for this functionality in Coppermine?

I would be happy to get feedback from the Coppermine community about IP authentication.

Αndré

What's your goal? Should all students be able to upload own content or do you only want to provide content (read-only)?

newguess

Thanks for responding.

I am not with a university or college. I am exploring the possiblity of building an art collection with Coppermine. The collection will be available to university/college libraries as subscription content. The collection will be used for academic and research purposes. For example, a student in an art class or art history class should be able access the art collection through its university library. The student or the faculty does not upload content to the website.

Generally, IP access is a way education institutions are given access to subscription content. When you use IP to authenticate access, students at the college do not have to create or enter user name or password to access the collection.  I am trying to see if there is some type of functionality like this in Coppermine, or if something can be created. Is there a way that Coppermine can be used to build collection for universities and colleges?

It is like Artstor, but their program is not for open source.

phill104

Better to give IP access on a server level rather than application level. It is quite simple to do in apache but is really not something we can discuss on here.
It is a mistake to think you can solve any major problems just with potatoes.

newguess

Can you provide some directions on how to do this on a server level? Is server level better than application?

Generally, only subscribers should see the content of the gallery. My question is this: if I enabled the feature that requires one to have an account before they can view the gallery content, how does that work with server level IP address you mentioned?

I have searched this before. Is there a way to hide the path of where the pages are located? Can the images be uploaded outside root?

Thanks for the suggestion.

Αndré

I think what Phill suggested is the following:
1. create a public gallery (which can be viewed without entering any account data)
2. restrict the access to the Coppermine directory (or the whole server) to just a few IP addresses

newguess

The whole gallery is only available by subscription. I do not get your suggestion about having a public gallery. What would be the point?

If you or Phil can clarify what he meant in his previous about server versus application, that will be great in understanding the rationale.

Αndré

I don't know what you mean with
Quote from: newguess on April 06, 2011, 05:01:50 AM
The whole gallery is only available by subscription

Usually Coppermine is accessible with an url like http://coppermine-gallery.net/demo/cpg15x/. Do you already have a Coppermine gallery? If so, please post a link.

phill104

It is a mistake to think you can solve any major problems just with potatoes.

newguess

Quote from: Αndré on April 06, 2011, 10:16:40 AM
I don't know what you mean with
Usually Coppermine is accessible with an url like http://coppermine-gallery.net/demo/cpg15x/. Do you already have a Coppermine gallery? If so, please post a link.

To clarify my earlier point, the gallery should be available by subscription. By this, I mean that only paid subscribers should be able to view the gallery. Those that have not paid cannot view the gallery. Do you follow? I do not have a Coppermine link. I am not sure if I will be using Coppermine for the project.

newguess

Quote from: Phill Luckhurst on April 06, 2011, 10:29:50 AM
Maybe one of these articles will help you - http://tinyurl.com/3pa538c

Thanks for the link.

If you are going to suggest an alternative way of using the server instead of application to do IP access, please explain.
I do not know why suggested that, and others who are following this thread may also want an answer as well. I did not realize that you cannot discuss ways to use Apache to control access for Coppermine on a Coppermine forum. Are there rules of what can or cannot be discussed?

Could you post an example of how to do the restrict of IP on a server level?

After reading some of the concerns on the forum, how do you hide the location (directory) and path to your images? If someone knows you are using Coppermine, you can find the path. Is there any way to minimize this?

phill104

Coppermine is a gallery app, that is all. Out of the box there is no part of the application that will restrict access by ip address and I know of no other gallery that does that. Most including Coppermine use passwords to restrict access. With Coppermine you can password protect albums. Plugins xould be written and modifications may even exist for previous versions but I have not looked.

Adding support for that would be "Application level restriction".

Server level restriction is a different thing and all depends on the server you are using, how it is setup and many other things. There are also different ways of achieving it using Apache. You can send out access keys, limit ip ranges or individual addresses or just use a simple .htaccess all of which would prevent any unauthorised user access to any chosen directory structure. There may even be applications available to automate that task but that really is something we cannot support you on.

We simply support and develop the application, not the systems you choose to install it on.
It is a mistake to think you can solve any major problems just with potatoes.

newguess

Thanks for the explanation. Is there a reason that Coppermine does not have a plugin or in-built support for IP recognition? Isn't there room for expansion?

Perhaps, most users that use Coppermine may use it to host their gallery, which is great, but what about educational users. I hardly think I am unique in making a request. I know I am not. I have seen quite a number of requests on this on from different places. Who got our back?  :'(

This is comparing apples and oranges, but Drupal has several pluguins that limit access to website based on IP address. A user account is required. Once an account is created by the admin, then the IP address of the user is entered in a private box that nobody sees only the dmin. If the user uses the IP address, the Drupal plugin logs them in automatically to the website. The user does not login. Can a similar function be created in Coppermine?

QuoteYou can send out access keys, limit ip ranges or individual addresses or just use a simple .htaccess all of which would prevent any unauthorised user access to any chosen directory structure.

How do you limit IP ranges? Please, give an actual example.

For the "simple .htaccess" you referred to, how do you create it? Please keep in mind that a school have 15 IP addresses. So if you have 20 schools, you are looking at 300 IP addresses.

Can the IP recognition also protect content? It seems like a protection is needed to ensure that right IP have access to the website, as well as its content.

QuoteThere may even be applications available to automate that task but that really is something we cannot support you on.

Any suggestions?

Feedback welcome.

phill104

A plugin could be created but you would have to do that yourself or pay someone to do it for you. As for the other suggestions I have made this is really not the place to discuss those. We can only support Coppermine and not the servers you run it on. There are plenty of places where those are discussed in detail if you google them. It is also dependant on how your server is setup that would dictate the best way to achieve this. How your server is setup is something we do not know nor want to get involved with.
It is a mistake to think you can solve any major problems just with potatoes.

newguess

I received a notification that there was a response to the post. I do not see the post. What happened to it?

phill104

It was a spam post that has been removed. The only posts we ever remove are spam. On very rare occacions we will remove abusive posts but usually we leave them so others can make up their minds about the poster.
It is a mistake to think you can solve any major problems just with potatoes.