Embed Size (px)
Citation preview
The PAPI System
Point of Access to Providers of Information
http://www.rediris.es/app/papi/
PAPI - [email protected]
Outline
Introduction Requirements Approximations to a solution Configurations Architecture of the PAPI system Implementation Future lines
PAPI - [email protected]
The origin
Meeting between library consortia and content providers
Original problem to solve: access control by IP address
RedIRIS committed to provide a solution Organizations:
Spanish library consortia CICA, CSIC, UAM, UOC, UPM, CBUC
Content providers SILVERPLATTER GREENDATA EBSCO SWETS ARANZADI
PAPI - [email protected]
Requirements
Access control independent from IP origin Upon successful local authentication, access
must be granted during a configurable period of time to the services that the user is authorized to
User mobility Transparency to the user Compatibility with other commonly employed
access control systems Compatibility with Netscape/MSIE/Lynx
browsers Privacy at the user level, while easing the
collection of statistics by providers
PAPI - [email protected]
Approximation: Temporary Certificates
Webbrowser
Authenticationdata Web
Server S1Web page
AuthenticationServer
TemporaryCertificates
Certificate S1 Certificate S2 Certificate S3
HTTP request
+ Certificate S1
WebServer S2
HTTP request
+ Certificate S2
Web page
Advantages:
Temporary access to authorized services
Allows user mobility
Authentication is local to user’s organization
Technology implemented in main web servers
Problems:
NOT TRANSPARENT
Password in browser DB
Choice of the right certificate
Inf. providers not adapted to this technology
Does not detect certificate duplication
PAPI - [email protected]
Approximation: Partial Solutions
No transparency -> encrypted cookies
Webbrowser
Authenticationdata Web
Server S1
Web page
AuthenticationServer
TemporaryEncrypt-cookies
Encry-cookie S1 Encry-cookie S2 Encry-cookie S3
HTTP request
+ Encry-cookie S1
Point ofAccess
HTTP request
Web page
Web servers not adapted -> Points of Access Advantages:
Temporary access to authorized services
Allows user mobility
Authentication is local to user’s organizations
Access control is adapted to current web servers of content providers
Transparent to the user
Problems:
Domain-name problems when loading cookies
Does not detect cookie copying
PAPI - [email protected]
Approximation: Partial Solutions Domain-name problems when loading cookies -> Cookies served by PoAs
Webbrowser
Authenticationdata
AuthenticationServer
Encry-cookie S1 Encry-cookie S2 Encry-cookie S3
Point ofAccess
Point ofAccess
TemporarySigned-URLs Signed-URL
Signed-URL
Encry-cookie
Encry-cookie
PAPI - [email protected]
Approximation: Partial Solutions
WebBrowser 1
Encry-cookie S1
Point ofAccess
Cookie copying -> Database of cookiesShort expiration time
WebBrowser 2
Encry-cookie S1
HTTP request
+ Encry-cookie S1
WebServer S1
HTTP request
Web page
DB of Enc-cookie
Web page
+ New Enc-cook S1
New Enc-cook S1
HTTP request
+ Encry-cookie S1 Collision
PAPI - [email protected]
Architecture of the PAPI system
Webbrowser
Authenticationdata
AuthenticationServer
Encry-cookies
TemporarySigned-URLs
Web page+
New Hcook+Lcook
HTTP request
+ Hcook+Lcook
Point ofAccess Web
Server S1
HTTP request
Web page
Hcook DB
URL: K_priv_AS (user code + server + path + Exp. Time + sign time)
Hcook: K1_PA (user code + server + path + Exp. Time + Random Block)
Lcook: K2_PA (user code + server + path + creation time)
PAPI - [email protected]
Configurations
Webbrowser
WebServer
AuthenticationServer
Point ofAccess
WebServer
Point ofAccess
AuthenticationServer
Point ofAccess
Point ofAccess
AuthenticationServer
AuthenticationServer
Point ofAccess
WebServer
Point ofAccess
User's Organization Information Provider
PAPI - [email protected]
Implementation
Status: Version 1.0.0 Available at
http://www.rediris.es/app/papi/dist.en.html
Crypt functions: OpenSSL
Authentication modules Local auth, LDAP, POP3
Points of Access mod_perl Apache virtual servers
PAPI - [email protected]
Future Lines
Enhancement of statistic collection at PoAs More general implementation
Servlet(s)
Management tools (both for AS and PoA) Interaction with information access software Align to similar initiatives
Authentication objects Alternative protocols for exchanging them SPARTA, Shibboleth
PAPI - [email protected]
Pilot of the system
Information Providers
AS: LDAPPoA: LISA DB (ERL)
AS: POPPoA: Local DBs
AS: POPPoA: Local DBs
AS: LocalPoA: MEDLINE (ERL)
