View on GitHub

Raven authentication

Overview

You can configure your site, or a subset of pages, to require user authentication with Raven, the university’s authentication system.

With .htaccess

The SRCF has the mod_ucam_webauth module installed, which makes it easy to do basic authentication using Raven. Full documentation is available, though here are a few common cases.

To protect a directory (whether public_html for your entire site, or a subdirectory of it), create or edit a .htaccess file in that directory, and add the following:

AuthType Ucam-WebAuth
Require valid-user

This will permit access to anyone with a ‘current’ Raven account, i.e. active students and staff. To permit access to any Raven account (including graduated students), add a Ptags directive:

AARequiredPtags none

Alternatively, you may want to limit access to Raven-authenticated users or visitors within the cam.ac.uk domain:

Order allow,deny
Allow from .cam.ac.uk
AuthType Ucam-WebAuth
Require valid-user
Satisfy any

To limit page access to group account admins only, add a unix-group Require directive:

Require unix-group <groupname>

You can also list specific users:

Require user <crsid> <crsid>...

To create a ‘logout’ link, add the following to your .htaccess file (which will create /logout relative to the directory containing the .htaccess file):

<FilesMatch "logout">
    SetHandler AALogout
</FilesMatch>

You can access a Raven-authenticated user’s CRSid using the REMOTE_USER (or AAPRINCIPAL) environment variables. For example, adding the following to a PHP page like index.php will display a customised welcome message on login:

<?php
echo "Hello {$_SERVER['REMOTE_USER']}!"
?>

Example configuration:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent]

AuthType Ucam-WebAuth
Require user CRSID

Replace CRSID with your CRSID.

The Rewrite section makes all connections to .../wp-admin/ use SSL which will protect your password, the AuthType section uses Raven to restrict access to the directory, you probably want to use your CRSID on the Require line.

Within an application

If you’re writing or maintaining a webapp that needs to authenticate users for certain pages, you’ll likely need a Raven or UCamWebAuth library. The Raven developer documentation may be useful for finding a suitable integration.


Last modified on Monday Jan 2, 2023 by Richard Allitt