1 / 21

Web-Based Access Control for ITS Web Services, Present and Future

Jeffrey C. D’Angelo, Programmer/Analyst, Enabling Technologies Group James A. Vuccolo, Manager, Software Solutions Group Applied Information Technologies (AIT) in Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS).

piper
Télécharger la présentation

Web-Based Access Control for ITS Web Services, Present and Future

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Jeffrey C. D’Angelo, Programmer/Analyst, Enabling Technologies Group James A. Vuccolo, Manager, Software Solutions Group Applied Information Technologies (AIT) in Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) Web-Based Access Control for ITS Web Services, Present and Future

  2. Topics • Access Control Concepts, Methods and Technology • Restricting Access on ITS Web Services • Role Based Tools • New and changing services

  3. Access Control Concepts • Identification and Authentication (AuthN) • Authorization (AuthZ) • Roles and Groups

  4. Access Control Methods • File Permissions • all or nothing? • Special cases: Portal, share.pass, WebMail • Database restrictions (SQL GRANT) • Web server control / .htaccess • Roles and Groups

  5. Access Control Technology - AuthN • HTTP Basic auth • .htpasswd • mod_auth_kerb / mod_auth_dce / mod_auth_external • CGI form / Cookies • Penn State WebAccess / CoSign • Custom database enabled application • Less used • Client certificates • Kerberos browser support

  6. Access Control Technology - AuthZ • File Permission Control • ACL Explorer (on http://www.work.psu.edu/) • PASS Shares (“File Sharing” button of the PASS Explorer) • Web Permission Control: .htaccess • Restrict Access to COLA (on http://www.work.psu.edu/) • Dynamic Web application based (CGI, PHP, etc) • Groups: User Managed Groups (DCE, LDAP) • Course groups • Implicit UMGs

  7. ACLs and UMGs • Explicit UMGs must be told what to do • To restrict file access by explicit UMG, the UMG must be added to the ACLs. • File users can be specified in ACLs or UMGs • Which is better for you? • Web users can be specified in .htaccess or UMGs • However, UMGs need mm_mod_auth_ldap (with patch) • Alternatives: mod_auth_ldap, mod_authz_ldap Demonstration

  8. Manage Web Editors (Implicit UMGs) • Departmental Web Space (http://www.psu.edu/dept/) • umg/services.www.dept.departmentname • https://umg.its.psu.edu/ • Course Online Accounts (http://www.courses.psu.edu/) • umg/services.www.courses.coursename • https://umg.its.psu.edu/ • Student Orgs Web Space (http://www.clubs.psu.edu/) • umg/clubs.campusname.clubname • https://admin.clubs.psu.edu/

  9. ACL Problems to Avoid • mask_obj problems • Secure FTP setting / SMB share setting • Removing in ACL explorer • Removing desired permissions by recursion • User home & www, share • Departmental space and group folders • Removing user_obj the wrong way

  10. Roles • What is a role? • Example • Case Studies • WebRAT

  11. What is a role? Roles are groups of people with attributes

  12. Example Group dn: cn=wfg.046.notify,dc=psu,dc=edu member: psdiridn=375704,dc=psu,dc=edu dn: psdiridn=375705,dc=psu,dc=edu psmnemonics=wfg.046.notify:0:TLT psaccountnumbers=wfg.046.notify:0:ALL psfundtype=wfg.046.notify:0:ALL psdollarthreshold=wfg.046.notify:0:NoLimit Entry

  13. Case Studies • Penn State WorkFlow • Departmental Identity

  14. Penn State WorkFlow • Problem • Needed a solution to control authorization to various financial applications within the Penn State WorkFlow system • Solution • Use roles to group financial people together and specify access restrictions via attributes

  15. Departmental Identity • Problem • How do you represent information about a person who has multiple affiliations? • i.e. A staff member at UP who teaches at Penn State Altoona • Solution • Use a role to represent the additional affiliations

  16. WebRAT • Web-based Role Authorization Tool (A.K.A “The RAT”) • Allows authorized personnel to assign roles • Uses role as template to determine what attributes to assign Demonstration

  17. protected.personal.psu.edu • Problem • The web server, http://www.personal.psu.edu/ is open to the world. It does not have a mechanism by which an average user can control access to his/her content. • Technically inclined users can set .htaccess file based password protection. However, they cannot authenticate Access/FPS accounts on http://www.personal.psu.edu/. • Solution • https://protected.personal.psu.edu/ is a future service that will solve this problem • Access can be controlled using any combination of Access and FPS Accounts, groups and roles

  18. Access Control Manager • A prototype of a Web-based tool that will be used to control access to content that is hosted on https://protected.personal.psu.edu/. Demonstration

  19. Directory Authorization Control • mm_mod_auth_ldap example • PHP example • http://php.scripts.psu.edu/jcd/useful/webcon/2005/ldap.php Demonstration

  20. ITS Web Service Changes 2007+ • http://www.work.psu.edu/ facelift • Install mm_mod_auth_ldap on more servers • E.g. http://www.courses.psu.edu/ • PASS Migration • ACL Explorer redo • https://protected.personal.psu.edu/ • http://blogs.psu.edu/ may have a protected version Demonstration

  21. Resources • Apply for Web space • Individual: http://www.work.psu.edu/webspace/ • Course: http://aset.its.psu.edu/accounts/cola.html • Departmental: http://aset.its.psu.edu/accounts/dept.html • Student Org: http://www.clubs.psu.edu/info/start.html • Apply for User Managed Group (explicit) • http://aset.its.psu.edu/accounts/accountsforms/ • Regular: Apply for Services > “Create a User Managed Group for Personal or Departmental space” • Course group: Manage Services > “Create a User Managed Group for a Course” • Authentication / Authorization control basics • Set UMG in ACLs: https://umg.its.psu.edu/instructions.shtml • Basic password protect: http://css.its.psu.edu/publish/htpasswd/ • WebAccess for Web dev: http://aset.its.psu.edu/docs/webaccess/

More Related