Upload
piper
View
63
Download
0
Embed Size (px)
DESCRIPTION
Jeffrey C. D’Angelo, Programmer/Analyst, Enabling Technologies Group James A. Vuccolo, Manager, Software Solutions Group Applied Information Technologies (AIT) in Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS). - PowerPoint PPT Presentation
Citation preview
The Pennsylvania State University © 2007
Web-Based Access Control for ITS Web Services, Present and Future
Jeffrey C. D’Angelo, Programmer/Analyst, Enabling Technologies Group
James A. Vuccolo, Manager, Software Solutions Group
Applied Information Technologies (AIT) in Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS)
The Pennsylvania State University © 2007
Topics
• Access Control Concepts, Methods and Technology
• Restricting Access on ITS Web Services
• Role Based Tools
• New and changing services
The Pennsylvania State University © 2007
Access Control Concepts
• Identification and Authentication (AuthN)
• Authorization (AuthZ)
• Roles and Groups
The Pennsylvania State University © 2007
Access Control Methods
• File Permissions– all or nothing?– Special cases: Portal, share.pass, WebMail
• Database restrictions (SQL GRANT)
• Web server control / .htaccess
• Roles and Groups
The Pennsylvania State University © 2007
Access Control Technology - AuthN
• HTTP Basic auth– .htpasswd– mod_auth_kerb / mod_auth_dce / mod_auth_external
• CGI form / Cookies– Penn State WebAccess / CoSign– Custom database enabled application
• Less used– Client certificates– Kerberos browser support
The Pennsylvania State University © 2007
Access Control Technology - AuthZ
• File Permission Control– ACL Explorer (on http://www.work.psu.edu/)– PASS Shares (“File Sharing” button of the PASS Explorer)
• Web Permission Control: .htaccess– Restrict Access to COLA (on http://www.work.psu.edu/)– Dynamic Web application based (CGI, PHP, etc)
• Groups: User Managed Groups (DCE, LDAP)– Course groups– Implicit UMGs
The Pennsylvania State University © 2007
ACLs and UMGs
• Explicit UMGs must be told what to do– To restrict file access by explicit UMG, the UMG must be added to
the ACLs.
• File users can be specified in ACLs or UMGs– Which is better for you?
• Web users can be specified in .htaccess or UMGs– However, UMGs need mm_mod_auth_ldap (with patch)– Alternatives: mod_auth_ldap, mod_authz_ldap
Demonstration
The Pennsylvania State University © 2007
Manage Web Editors (Implicit UMGs)
• Departmental Web Space (http://www.psu.edu/dept/)– umg/services.www.dept.departmentname– https://umg.its.psu.edu/
• Course Online Accounts (http://www.courses.psu.edu/)– umg/services.www.courses.coursename– https://umg.its.psu.edu/
• Student Orgs Web Space (http://www.clubs.psu.edu/)– umg/clubs.campusname.clubname– https://admin.clubs.psu.edu/
The Pennsylvania State University © 2007
ACL Problems to Avoid
• mask_obj problems– Secure FTP setting / SMB share setting– Removing in ACL explorer
• Removing desired permissions by recursion– User home & www, share– Departmental space and group folders
• Removing user_obj the wrong way
The Pennsylvania State University © 2007
Roles
• What is a role?
• Example
• Case Studies
• WebRAT
The Pennsylvania State University © 2007
What is a role?
Roles are groups of people with attributes
The Pennsylvania State University © 2007
Example
dn: cn=wfg.046.notify,dc=psu,dc=edu
member: psdiridn=375704,dc=psu,dc=edu
dn: psdiridn=375705,dc=psu,dc=edupsmnemonics=wfg.046.notify:0:TLTpsaccountnumbers=wfg.046.notify:0:ALLpsfundtype=wfg.046.notify:0:ALLpsdollarthreshold=wfg.046.notify:0:NoLimit
Group
Entry
The Pennsylvania State University © 2007
Case Studies
• Penn State WorkFlow
• Departmental Identity
The Pennsylvania State University © 2007
Penn State WorkFlow
• Problem– Needed a solution to control authorization to various
financial applications within the Penn State WorkFlow system
• Solution– Use roles to group financial people together and specify
access restrictions via attributes
The Pennsylvania State University © 2007
Departmental Identity
• Problem– How do you represent information about a person who has
multiple affiliations?• i.e. A staff member at UP who teaches at Penn State Altoona
• Solution– Use a role to represent the additional affiliations
The Pennsylvania State University © 2007
WebRAT
• Web-based Role Authorization Tool (A.K.A “The RAT”)
• Allows authorized personnel to assign roles• Uses role as template to determine what attributes to
assign
Demonstration
The Pennsylvania State University © 2007
protected.personal.psu.edu
• Problem– The web server, http://www.personal.psu.edu/ is open to the
world. It does not have a mechanism by which an average user can control access to his/her content.
• Technically inclined users can set .htaccess file based password protection. However, they cannot authenticate Access/FPS accounts on http://www.personal.psu.edu/.
• Solution– https://protected.personal.psu.edu/ is a future service that
will solve this problem– Access can be controlled using any combination of Access
and FPS Accounts, groups and roles
The Pennsylvania State University © 2007
Access Control Manager
• A prototype of a Web-based tool that will be used to control access to content that is hosted on https://protected.personal.psu.edu/.
Demonstration
The Pennsylvania State University © 2007
Directory Authorization Control
• mm_mod_auth_ldap example
• PHP example– http://php.scripts.psu.edu/jcd/useful/webcon/2005/ldap.php
Demonstration
The Pennsylvania State University © 2007
ITS Web Service Changes 2007+
• http://www.work.psu.edu/ facelift
• Install mm_mod_auth_ldap on more servers– E.g. http://www.courses.psu.edu/
• PASS Migration– ACL Explorer redo
• https://protected.personal.psu.edu/– http://blogs.psu.edu/ may have a protected version
Demonstration
The Pennsylvania State University © 2007
Resources
• Apply for Web space– Individual: http://www.work.psu.edu/webspace/– Course: http://aset.its.psu.edu/accounts/cola.html– Departmental: http://aset.its.psu.edu/accounts/dept.html– Student Org: http://www.clubs.psu.edu/info/start.html
• Apply for User Managed Group (explicit)– http://aset.its.psu.edu/accounts/accountsforms/
• Regular: Apply for Services > “Create a User Managed Group for Personal or Departmental space”
• Course group: Manage Services > “Create a User Managed Group for a Course”
• Authentication / Authorization control basics– Set UMG in ACLs: https://umg.its.psu.edu/instructions.shtml– Basic password protect: http://css.its.psu.edu/publish/htpasswd/– WebAccess for Web dev: http://aset.its.psu.edu/docs/webaccess/