WebBased Access Control for ITS Web Services Present

Web-Based Access Control for ITS Web Services, Present and Future Jeffrey C. D’Angelo, Programmer/Analyst, Enabling Technologies Group James A. Vuccolo, Manager, Software Solutions Group Applied Information Technologies (AIT) in Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS) The Pennsylvania State University © 2007

Topics • Access Control Concepts, Methods and Technology • Restricting Access on ITS Web Services • Role Based Tools • New and changing services The Pennsylvania State University © 2007

Access Control Concepts • Identification and Authentication (Auth. N) • Authorization (Auth. Z) • Roles and Groups The Pennsylvania State University © 2007

Access Control Methods • File Permissions – all or nothing? – Special cases: Portal, share. pass, Web. Mail • Database restrictions (SQL GRANT) • Web server control /. htaccess • Roles and Groups The Pennsylvania State University © 2007

Access Control Technology - Auth. N • HTTP Basic auth –. htpasswd – mod_auth_kerb / mod_auth_dce / mod_auth_external • CGI form / Cookies – Penn State Web. Access / Co. Sign – Custom database enabled application • Less used – Client certificates – Kerberos browser support The Pennsylvania State University © 2007

Access Control Technology - Auth. Z • File Permission Control – ACL Explorer (on http: //www. work. psu. edu/) – PASS Shares (“File Sharing” button of the PASS Explorer) • Web Permission Control: . htaccess – Restrict Access to COLA (on http: //www. work. psu. edu/) – Dynamic Web application based (CGI, PHP, etc) • Groups: User Managed Groups (DCE, LDAP) – Course groups – Implicit UMGs The Pennsylvania State University © 2007

ACLs and UMGs • Explicit UMGs must be told what to do – To restrict file access by explicit UMG, the UMG must be added to the ACLs. • File users can be specified in ACLs or UMGs – Which is better for you? • Web users can be specified in. htaccess or UMGs – However, UMGs need mm_mod_auth_ldap (with patch) – Alternatives: mod_auth_ldap, mod_authz_ldap Demonstration The Pennsylvania State University © 2007

Manage Web Editors (Implicit UMGs) • Departmental Web Space (http: //www. psu. edu/dept/) – umg/services. www. dept. departmentname – https: //umg. its. psu. edu/ • Course Online Accounts (http: //www. courses. psu. edu/) – umg/services. www. courses. coursename – https: //umg. its. psu. edu/ • Student Orgs Web Space (http: //www. clubs. psu. edu/) – umg/clubs. campusname. clubname – https: //admin. clubs. psu. edu/ The Pennsylvania State University © 2007

ACL Problems to Avoid • mask_obj problems – Secure FTP setting / SMB share setting – Removing in ACL explorer • Removing desired permissions by recursion – User home & www, share – Departmental space and group folders • Removing user_obj the wrong way The Pennsylvania State University © 2007

Roles • What is a role? • Example • Case Studies • Web. RAT The Pennsylvania State University © 2007

What is a role? Roles are groups of people with attributes The Pennsylvania State University © 2007

Example dn: cn=wfg. 046. notify, dc=psu, dc=edu member: psdiridn=375704, dc=psu, dc=edu dn: psdiridn=375705, dc=psu, dc=edu psmnemonics=wfg. 046. notify: 0: TLT psaccountnumbers=wfg. 046. notify: 0: ALL psfundtype=wfg. 046. notify: 0: ALL psdollarthreshold=wfg. 046. notify: 0: No. Limit Entry The Pennsylvania State University © 2007 Group

Case Studies • Penn State Work. Flow • Departmental Identity The Pennsylvania State University © 2007

Penn State Work. Flow • Problem – Needed a solution to control authorization to various financial applications within the Penn State Work. Flow system • Solution – Use roles to group financial people together and specify access restrictions via attributes The Pennsylvania State University © 2007

Departmental Identity • Problem – How do you represent information about a person who has multiple affiliations? • i. e. A staff member at UP who teaches at Penn State Altoona • Solution – Use a role to represent the additional affiliations The Pennsylvania State University © 2007

Web. RAT • Web-based Role Authorization Tool (A. K. A “The RAT”) • Allows authorized personnel to assign roles • Uses role as template to determine what attributes to assign Demonstration The Pennsylvania State University © 2007

protected. personal. psu. edu • Problem – The web server, http: //www. personal. psu. edu/ is open to the world. It does not have a mechanism by which an average user can control access to his/her content. • Technically inclined users can set. htaccess file based password protection. However, they cannot authenticate Access/FPS accounts on http: //www. personal. psu. edu/. • Solution – https: //protected. personal. psu. edu/ is a future service that will solve this problem – Access can be controlled using any combination of Access and FPS Accounts, groups and roles The Pennsylvania State University © 2007

Access Control Manager • A prototype of a Web-based tool that will be used to control access to content that is hosted on https: //protected. personal. psu. edu/. Demonstration The Pennsylvania State University © 2007

Directory Authorization Control • mm_mod_auth_ldap example • PHP example – http: //php. scripts. psu. edu/jcd/useful/webcon/2005/ldap. php Demonstration The Pennsylvania State University © 2007

ITS Web Service Changes 2007+ • http: //www. work. psu. edu/ facelift • Install mm_mod_auth_ldap on more servers – E. g. http: //www. courses. psu. edu/ • PASS Migration – ACL Explorer redo • https: //protected. personal. psu. edu/ – http: //blogs. psu. edu/ may have a protected version Demonstration The Pennsylvania State University © 2007

Resources • Apply for Web space – – Individual: http: //www. work. psu. edu/webspace/ Course: http: //aset. its. psu. edu/accounts/cola. html Departmental: http: //aset. its. psu. edu/accounts/dept. html Student Org: http: //www. clubs. psu. edu/info/start. html • Apply for User Managed Group (explicit) – http: //aset. its. psu. edu/accountsforms/ • Regular: Apply for Services > “Create a User Managed Group for Personal or Departmental space” • Course group: Manage Services > “Create a User Managed Group for a Course” • Authentication / Authorization control basics – Set UMG in ACLs: https: //umg. its. psu. edu/instructions. shtml – Basic password protect: http: //css. its. psu. edu/publish/htpasswd/ – Web. Access for Web dev: http: //aset. its. psu. edu/docs/webaccess/ The Pennsylvania State University © 2007