Tabs

Putting HTML/SCORM, Media Files and User Profile Images Under RBAC Control

ILIAS 5.1 and higher

ILIAS 5.1 activated the new implemented WebAccessChecker by default as long as Apache Support RewriteRules (activated mod_rewrite). Please remove all "old" configurations listed below. ILIAS 5.1 already implements the RewriteRule in the .htaccess-File deliverd with ILIAS.
The new implementation of the WebAccessChecker sllows to use several delivery methods such as PHP and xSendFile. Some of them need further configuration:

Using PHP

This is the default setting. Nothing to configure.

Using xSendFile

xSendFile allows faster delivery of file-content which is important when delivering large files (such as Video, Audio, ...).

The Apache-Module can be installed (on Debian/Ubuntu) with:

sudo apt-get install libapache2-mod-xsendfile
sudo a2enmod xsendfile

In your Apache-Config or VHOST the "iliasdata"- and the "data"- directories must be unlocked, e.g.:

XSendFilePath /var/www
XSendFilePath /var/iliasdata

Using nginx

The new implementation allows nginx-based webservers to use the WebAccessChecker-Feature as well. Use a configuration like this:

server {
    [...]
    root /var/www/trunk;
    set $root $document_root;
    rewrite ^/data/(.*)/(.*)/(.*)$ /Services/WebAccessChecker/wac.php last;
    location /secured-data {
        alias $root/data;
        internal;
    }
    [...]
}

Like Apache has xSendFile, nginx has the module "x-accel-redirect". Since PHP has no way to find out if the module is installed and active, you need to tell the ilFileDelivery-Class to use it:

Copy the file
Services/FileDelivery/classes/override.php.template
to
Services/FileDelivery/classes/override.php

and change it's content to:

// [Huge comment block...]
$override_delivery_type = ilFileDelivery::DELIVERY_METHOD_XACCEL;

ILIAS 4.1.3 - 5.0.x

Using RewriteRule with parameters

HTML files within ILIAS HTML/SCORM learning modules and media objects are not secured by RBAC per default. Because these files are stored in the web folder of your web server (in the directories data/<client_name>/lm_data and data/<client_name>/mobs under the ILIAS main directory), they can be requested directly without involving PHP (and ILIAS).
 
To check access rights for these filese by ILIAS before they are sent to the client browser, you have to configure your web server to call the ILIAS web access checker scriptwhen they are requested. For the Apache web server this is done by adding some lines to the httpd.conf or virtual server configuration.
 
  • The preferred configuration is via RewriteRule which allows you to set additional parameters.
  • If you can't use RewriteRule, use AliasMatch with different target scripts for different delivery types.
Instead of using different target scripts you can use a rewrite rule to call the web access checker with parameters. This way you can combine different parameters for different files. This solution requires the Apache module mod_rewrite.
RewriteEngine On

# Deliver download files as attachments
RewriteRule ^/ilias/data/.*/lm_data/.*\.(pdf|doc)$ /ilias/Services/WebAccessChecker/web_access_checker.php?disposition=attachment

# Deliver all other files normally
RewriteRule ^/ilias/data/.*/lm_data/.*$ /ilias/Services/WebAccessChecker/web_access_checker.php?disposition=inline
RewriteRule ^/ilias/data/.*/mobs/.*$ /ilias/Services/WebAccessChecker/web_access_checker.php?disposition=inline

# Generic Rule (ILIAS 5.0+ only!)
RewriteRule ^/ilias/data/.*/sec/.*$ /ilias/Services/WebAccessChecker/web_access_checker.php?disposition=inline
Please note that the target of a RewriteRule is a virtual path relative to the Webservers DocumentRoot
Parameter
Allowed values
Description
disposition
  • inline
  • attachment
  • virtual
The delivery method of the file. This corresponds to the medhods described above:
inline: simple check and delivery by php,
attachment: force a download dialogue,
virtual: Fast Delivery by Apache. This is the preferred solution, but needs needs additional Apache modules and configurations (see the "Fast Delivery" section below).
 
The default setting is inline.
send_mimetype
  • On, true, 1
  • Off, false, 0
  • a specific mime type
Sets whether a Content-Type header should be generated by ILIAS for the file.
On sends a type that is detected by ILIAS.
Off prevents ILIAS from sending the type. If you use disposition=virtual, the type is then determined by Apache. This will in some cases work better than the ILIAS detection.
If a specific type (like application/zip) is specified, this will be sent instead of the detected type.
 
The default setting is On.
check_ip
  • On, true, 1
  • Off, false, 0
Use the clients IP address to determine the active user if no session cookie is sent with the request (see description below).
 
The default setting is Off.
Use the following configuration for a direct delivery of a requested file by the Apache web server. This has some significant benefits:
  • large files are delivered faster,
  • the HTTP headers are similar to an unprotected file wihch causes less problems with specific media files or Java applets.
This solution works on Linux/Unix systems only (because a symbolic link is needed). The following Apache modules are needed for this delivery type:
mod_headers
mod_alias
mod_authz_host
First go to your ILIAS directory and create a symbolic link virtual-data to the data directory (replace /srv/www/htdocs with your htdocs path):
cd /srv/www/htdocs/ilias
ln -s data virtual-data
# Allow the symbolic link virtual-data pointing to the data directory
<Directory /srv/www/htdocs/ilias>
Options +FollowSymLinks
</Directory>

# Prevent a direct access to the files in virtual-data
# These should only be deliverd if they are checkedby ILIAS before
<Directory /srv/www/htdocs/ilias/virtual-data>
Order deny,allow
Deny from all
Allow from env=ILIAS_CHECKED
</Directory>

# Unset the response headers that are automatically added by php
# Apache will add own heders when the file is actually sent
<Directory /srv/www/htdocs/ilias/Services/WebAccessChecker>
Header unset X-Powered-By
Header unset Expires
Header unset Cache-Control
Header unset Pragma
Header unset Keep-Alive
Header unset Connection
</Directory>

# Protect learning modules and media objects
RewriteRule ^/ilias/data/.*/lm_data/.*$ /ilias/Services/WebAccessChecker/web_access_checker.php?disposition=virtual&send_mimetype=false
RewriteRule ^/ilias/data/.*/mobs/.*$ /ilias/Services/WebAccessChecker/web_access_checker.php?disposition=virtual&send_mimetype=false

# Protect user images (ILIAS 4.1.3 and higher)
RewriteRule ^/ilias/data/.*/usr_images/.*$ /ilias/Services/WebAccessChecker/web_access_checker.php?disposition=virtual&send_mimetype=false

# Note: send_mimetype=false suppresses the content-type detection by ILIAS. The type is then determined by Apache when the file is sent with virtual().
In some specific cases no session cookie is sent by the client when a protected file is requested. This may for example be the case when PDF flies in a HTML learning module are linking each other and the Adobe Reader is opened as an external application. To protect these files in some way the web access checker can try to identify the active user by his IP address.
Please note that this is not 100% secure. In case of proxy usage or NAT more than one active users may share the same IP address. ILIAS will then deliver a file if one of these users has read access.
IP based checking is not active by default. Two configurations are needed to activate it:
  1. To activate the storage of a users IP address, add the following lines to the file data/YourClientName/client.ini.php:
    [session]
    save_ip = "1"
  2. To activate the IP checking for specific files, add a parameter to the web access checker script in your Apache configuration (see above):
    RewriteEngine On
    RewriteRule ^/ilias/data/.*/lm_data/.*\.pdf$ /ilias/Services/WebAccessChecker/web_access_checker.php?check_ip=On
To use the IP based check with ILIAS 4.1 you need a little patch that adds a new database field. Download the patch and copy the enclosed file to the main directory of you ILIAS installation. Then open a browser and call apply_patch_session_ip.php in you ILIAS web path. The patch will extend the session table with a field to store the users IP address. You can delete the patch file afterwards.
Patch for ILIAS 4.1 (minimum 4.1.3)

Using AliasMatch with different target scripts (all ILIAS 4 versions)

You can choose between three delivery methods for the protected files and use separate methods for different file name patterns. The preferred solution is "Fast Delivery by Apache" which relieves ILIAS from sending the file with through php. This methods needs additional Apache modules and configuration but is faster and more reliable.
Add the following lines to your Apache or virtual host configuration file (replace /srv/www/htdocs with your htdocs path):
# Protect learning modules and media objects
AliasMatch ^/ilias/data/.*/lm_data/.*$ /srv/www/htdocs/ilias/Services/WebAccessChecker/web_access_checker.php
AliasMatch ^/ilias/data/.*/mobs/.*$ /srv/www/htdocs/ilias/Services/WebAccessChecker/web_access_checker.php

# Protect user images (ILIAS 4.1.3 and higher)
AliasMatch ^/ilias/data/.*/usr_images/.*$ /srv/www/htdocs/ilias/Services/WebAccessChecker/web_access_checker.php
To force a download dialogue for some file types, use this configuration (replace /srv/www/htdocs with your htdocs path):
# Deliver download files as attachments
AliasMatch ^/ilias/data/.*/lm_data/.*\.(pdf|doc)$ /srv/www/htdocs/ilias/Services/WebAccessChecker/web_access_attach.php

# Deliver all other files normally
AliasMatch ^/ilias/data/.*/lm_data/.*$ /srv/www/htdocs/ilias/Services/WebAccessChecker/web_access_checker.php
AliasMatch ^/ilias/data/.*/mobs/.*$ /srv/www/htdocs/ilias/Services/WebAccessChecker/web_access_checker.php

# Protect user images (ILIAS 4.1.3 and higher)
AliasMatch ^/ilias/data/.*/usr_images/.*$ /srv/www/htdocs/ilias/Services/WebAccessChecker/web_access_checker.php
You may specify other file types then pdf and doc in the first AliasMatch.
Use the following configuration for a direct delivery of a requested file by the Apache web server. This has some significant benefits:
  • large files are delivered faster,
  • the HTTP headers are similar to an unprotected file wihch causes less problems with specific media files or Java applets.
This solution works on Linux/Unix systems only (because a symbolic link is needed). The following Apache modules are needed for this delivery type:
mod_headers
mod_alias
mod_authz_host
First go to your ILIAS directory and create a symbolic link virtual-data to the data directory (replace /srv/www/htdocs with your htdocs path):
cd /srv/www/htdocs/ilias
ln -s data virtual-data
Then add the following lines to your Apache or virtual host configuration file (replace /srv/www/htdocs with your htdocs path):
# Allow the symbolic link virtual-data pointing to the data directory
<Directory /srv/www/htdocs/ilias>
Options +FollowSymLinks
</Directory>

# Prevent a direct access to the files in virtual-data
# These should only be deliverd if they are checkedby ILIAS before
<Directory /srv/www/htdocs/ilias/virtual-data>
Order deny,allow
Deny from all
Allow from env=ILIAS_CHECKED
</Directory>

# Unset the response headers that are automatically added by php
# Apache will add own heders when the file is actually sent
<Directory /srv/www/htdocs/ilias/Services/WebAccessChecker>
Header unset X-Powered-By
Header unset Expires
Header unset Cache-Control
Header unset Pragma
Header unset Keep-Alive
Header unset Connection
</Directory>

# Protect learning modules and media objects
AliasMatch ^/ilias/data/.*/lm_data/.*$ /srv/www/htdocs/ilias/Services/WebAccessChecker/web_access_virtual.php
AliasMatch ^/ilias/data/.*/mobs/.*$ /srv/www/htdocs/ilias/Services/WebAccessChecker/web_access_virtual.php

# Protect user images (ILIAS 4.1.3 and higher)
AliasMatch ^/ilias/data/.*/usr_images/.*$ /srv/www/htdocs/ilias/Services/WebAccessChecker/web_access_virtual.php

Former Versions

In ILIAS 3 only one checker script was avaliable that can be called with an AliasMatch rule. This script sent the file always as inline (not for download) via php.
Add the following lines to your Apache or virtual host configuration file (replace /srv/www/htdocs/ilias3 with your ILIAS directory):
AliasMatch ^/ilias3/data/.*/lm_data/.*\.(html|htm|swf|pdf)$ /srv/www/htdocs/ilias3/Services/WebAccessChecker/web_access_checker.php
Add the following lines to your Apache or virtual host configuration file (replace /srv/www/htdocs/ilias3 with your ILIAS directory):
AliasMatch ^/ilias3/data/.*/lm_data/.*\.(html|htm|swf|pdf)$ /srv/www/htdocs/ilias3/content/web_access_checker.php


No comment has been posted yet.