Web-Based Access Control for ITS Web Services, Present and Future

The Pennsylvania State University © 2007

Web-Based Access Control for ITS Web Services, Present and Future

Jeffrey C. D’Angelo, Programmer/Analyst, Enabling Technologies Group

James A. Vuccolo, Manager, Software Solutions Group

Applied Information Technologies (AIT) in Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS)


Topics

• Access Control Concepts, Methods and Technology

• Restricting Access on ITS Web Services

• Role Based Tools

• New and changing services


Access Control Concepts

• Identification and Authentication (AuthN)

• Authorization (AuthZ)

• Roles and Groups


Access Control Methods

• File Permissions– all or nothing?– Special cases: Portal, share.pass, WebMail

• Database restrictions (SQL GRANT)

• Web server control / .htaccess

• Roles and Groups


Access Control Technology - AuthN

• HTTP Basic auth– .htpasswd– mod_auth_kerb / mod_auth_dce / mod_auth_external

• CGI form / Cookies– Penn State WebAccess / CoSign– Custom database enabled application

• Less used– Client certificates– Kerberos browser support


Access Control Technology - AuthZ

• File Permission Control– ACL Explorer (on http://www.work.psu.edu/)– PASS Shares (“File Sharing” button of the PASS Explorer)

• Web Permission Control: .htaccess– Restrict Access to COLA (on http://www.work.psu.edu/)– Dynamic Web application based (CGI, PHP, etc)

• Groups: User Managed Groups (DCE, LDAP)– Course groups– Implicit UMGs


ACLs and UMGs

• Explicit UMGs must be told what to do– To restrict file access by explicit UMG, the UMG must be added to

the ACLs.

• File users can be specified in ACLs or UMGs– Which is better for you?

• Web users can be specified in .htaccess or UMGs– However, UMGs need mm_mod_auth_ldap (with patch)– Alternatives: mod_auth_ldap, mod_authz_ldap

Demonstration


Manage Web Editors (Implicit UMGs)

• Departmental Web Space (http://www.psu.edu/dept/)– umg/services.www.dept.departmentname– https://umg.its.psu.edu/

• Course Online Accounts (http://www.courses.psu.edu/)– umg/services.www.courses.coursename– https://umg.its.psu.edu/

• Student Orgs Web Space (http://www.clubs.psu.edu/)– umg/clubs.campusname.clubname– https://admin.clubs.psu.edu/


ACL Problems to Avoid

• mask_obj problems– Secure FTP setting / SMB share setting– Removing in ACL explorer

• Removing desired permissions by recursion– User home & www, share– Departmental space and group folders

• Removing user_obj the wrong way


Roles

• What is a role?

• Example

• Case Studies

• WebRAT


What is a role?

Roles are groups of people with attributes


Example

dn: cn=wfg.046.notify,dc=psu,dc=edu

member: psdiridn=375704,dc=psu,dc=edu

dn: psdiridn=375705,dc=psu,dc=edupsmnemonics=wfg.046.notify:0:TLTpsaccountnumbers=wfg.046.notify:0:ALLpsfundtype=wfg.046.notify:0:ALLpsdollarthreshold=wfg.046.notify:0:NoLimit

Group

Entry


Case Studies

• Penn State WorkFlow

• Departmental Identity


Penn State WorkFlow

• Problem– Needed a solution to control authorization to various

financial applications within the Penn State WorkFlow system

• Solution– Use roles to group financial people together and specify

access restrictions via attributes


Departmental Identity

• Problem– How do you represent information about a person who has

multiple affiliations?• i.e. A staff member at UP who teaches at Penn State Altoona

• Solution– Use a role to represent the additional affiliations


WebRAT

• Web-based Role Authorization Tool (A.K.A “The RAT”)

• Allows authorized personnel to assign roles• Uses role as template to determine what attributes to

assign

Demonstration


protected.personal.psu.edu

• Problem– The web server, http://www.personal.psu.edu/ is open to the

world. It does not have a mechanism by which an average user can control access to his/her content.

• Technically inclined users can set .htaccess file based password protection. However, they cannot authenticate Access/FPS accounts on http://www.personal.psu.edu/.

• Solution– https://protected.personal.psu.edu/ is a future service that

will solve this problem– Access can be controlled using any combination of Access

and FPS Accounts, groups and roles


Access Control Manager

• A prototype of a Web-based tool that will be used to control access to content that is hosted on https://protected.personal.psu.edu/.

Demonstration


Directory Authorization Control

• mm_mod_auth_ldap example

• PHP example– http://php.scripts.psu.edu/jcd/useful/webcon/2005/ldap.php

Demonstration


ITS Web Service Changes 2007+

• http://www.work.psu.edu/ facelift

• Install mm_mod_auth_ldap on more servers– E.g. http://www.courses.psu.edu/

• PASS Migration– ACL Explorer redo

• https://protected.personal.psu.edu/– http://blogs.psu.edu/ may have a protected version

Demonstration


Resources

• Apply for Web space– Individual: http://www.work.psu.edu/webspace/– Course: http://aset.its.psu.edu/accounts/cola.html– Departmental: http://aset.its.psu.edu/accounts/dept.html– Student Org: http://www.clubs.psu.edu/info/start.html

• Apply for User Managed Group (explicit)– http://aset.its.psu.edu/accounts/accountsforms/

• Regular: Apply for Services > “Create a User Managed Group for Personal or Departmental space”

• Course group: Manage Services > “Create a User Managed Group for a Course”

• Authentication / Authorization control basics– Set UMG in ACLs: https://umg.its.psu.edu/instructions.shtml– Basic password protect: http://css.its.psu.edu/publish/htpasswd/– WebAccess for Web dev: http://aset.its.psu.edu/docs/webaccess/

Documents

Web-Based Access Control for ITS Web Services, Present and Future