Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Pennsylvania State University © 2007 Web-Based Access Control for ITS Web Services, Present and Future Jeffrey C. D’Angelo, Programmer/Analyst, Enabling.

Published byElmer Marshall Modified over 8 years ago

Similar presentations

Presentation on theme: "The Pennsylvania State University © 2007 Web-Based Access Control for ITS Web Services, Present and Future Jeffrey C. D’Angelo, Programmer/Analyst, Enabling."— Presentation transcript:

1 The Pennsylvania State University © 2007 Web-Based Access Control for ITS Web Services, Present and Future Jeffrey C. D’Angelo, Programmer/Analyst, Enabling Technologies Group James A. Vuccolo, Manager, Software Solutions Group Applied Information Technologies (AIT) in Academic Services and Emerging Technologies (ASET), a unit of Information Technology Services (ITS)

2 The Pennsylvania State University © 2007 Topics Access Control Concepts, Methods and Technology Restricting Access on ITS Web Services Role Based Tools New and changing services

3 The Pennsylvania State University © 2007 Access Control Concepts Identification and Authentication (AuthN) Authorization (AuthZ) Roles and Groups

4 The Pennsylvania State University © 2007 Access Control Methods File Permissions –all or nothing? –Special cases: Portal, share.pass, WebMail Database restrictions (SQL GRANT) Web server control /.htaccess Roles and Groups

5 The Pennsylvania State University © 2007 Access Control Technology - AuthN HTTP Basic auth –.htpasswd –mod_auth_kerb / mod_auth_dce / mod_auth_external CGI form / Cookies –Penn State WebAccess / CoSignPenn State WebAccess –Custom database enabled application Less used –Client certificates –Kerberos browser support

6 The Pennsylvania State University © 2007 Access Control Technology - AuthZ File Permission Control –ACL Explorer (on http://www.work.psu.edu/)http://www.work.psu.edu/ –PASS Shares (“File Sharing” button of the PASS Explorer)PASS Explorer Web Permission Control:.htaccess –Restrict Access to COLA (on http://www.work.psu.edu/)http://www.work.psu.edu/ –Dynamic Web application based (CGI, PHP, etc) Groups: User Managed Groups (DCE, LDAP) –Course groups –Implicit UMGs

7 The Pennsylvania State University © 2007 ACLs and UMGs Explicit UMGs must be told what to do –To restrict file access by explicit UMG, the UMG must be added to the ACLs. File users can be specified in ACLs or UMGs –Which is better for you? Web users can be specified in.htaccess or UMGs –However, UMGs need mm_mod_auth_ldap (with patch)mm_mod_auth_ldap –Alternatives: mod_auth_ldap, mod_authz_ldapmod_auth_ldapmod_authz_ldap Demonstration

8 The Pennsylvania State University © 2007 Manage Web Editors (Implicit UMGs) Departmental Web Space (http://www.psu.edu/dept/)http://www.psu.edu/dept/ –umg/services.www.dept.departmentname –https://umg.its.psu.edu/https://umg.its.psu.edu/ Course Online Accounts (http://www.courses.psu.edu/)http://www.courses.psu.edu/ –umg/services.www.courses.coursename –https://umg.its.psu.edu/https://umg.its.psu.edu/ Student Orgs Web Space (http://www.clubs.psu.edu/)http://www.clubs.psu.edu/ –umg/clubs.campusname.clubname –https://admin.clubs.psu.edu/https://admin.clubs.psu.edu/

9 The Pennsylvania State University © 2007 ACL Problems to Avoid mask_obj problems –Secure FTP setting / SMB share settingSecure FTP setting –Removing in ACL explorer Removing desired permissions by recursion –User home & www, share –Departmental space and group folders Removing user_obj the wrong way

10 The Pennsylvania State University © 2007 Roles What is a role? Example Case Studies WebRAT

11 The Pennsylvania State University © 2007 What is a role? Roles are groups of people with attributes

12 The Pennsylvania State University © 2007 Example dn: cn=wfg.046.notify,dc=psu,dc=edu member: psdiridn=375704,dc=psu,dc=edu dn: psdiridn=375705,dc=psu,dc=edu psmnemonics=wfg.046.notify:0:TLT psaccountnumbers=wfg.046.notify:0:ALL psfundtype=wfg.046.notify:0:ALL psdollarthreshold=wfg.046.notify:0:NoLimit Group Entry

13 The Pennsylvania State University © 2007 Case Studies Penn State WorkFlow Departmental Identity

14 The Pennsylvania State University © 2007 Penn State WorkFlow Problem –Needed a solution to control authorization to various financial applications within the Penn State WorkFlow system Solution –Use roles to group financial people together and specify access restrictions via attributes

15 The Pennsylvania State University © 2007 Departmental Identity Problem –How do you represent information about a person who has multiple affiliations? i.e. A staff member at UP who teaches at Penn State Altoona Solution –Use a role to represent the additional affiliations

16 The Pennsylvania State University © 2007 WebRAT Web-based Role Authorization Tool (A.K.A “The RAT”) Allows authorized personnel to assign roles Uses role as template to determine what attributes to assign Demonstration

17 The Pennsylvania State University © 2007 protected.personal.psu.edu Problem –The web server, http://www.personal.psu.edu/ is open to the world. It does not have a mechanism by which an average user can control access to his/her content.http://www.personal.psu.edu/ Technically inclined users can set.htaccess file based password protection. However, they cannot authenticate Access/FPS accounts on http://www.personal.psu.edu/.http://www.personal.psu.edu/ Solution –https://protected.personal.psu.edu/ is a future service that will solve this problemhttps://protected.personal.psu.edu/ –Access can be controlled using any combination of Access and FPS Accounts, groups and roles

18 The Pennsylvania State University © 2007 Access Control Manager A prototype of a Web-based tool that will be used to control access to content that is hosted on https://protected.personal.psu.edu/. https://protected.personal.psu.edu/ Demonstration

19 The Pennsylvania State University © 2007 Directory Authorization Control mm_mod_auth_ldap example PHP example –http://php.scripts.psu.edu/jcd/useful/webcon/2005/ldap.phphttp://php.scripts.psu.edu/jcd/useful/webcon/2005/ldap.php Demonstration

20 The Pennsylvania State University © 2007 ITS Web Service Changes 2007+ http://www.work.psu.edu/ facelifthttp://www.work.psu.edu/ Install mm_mod_auth_ldap on more servers –E.g. http://www.courses.psu.edu/http://www.courses.psu.edu/ PASS Migration –ACL Explorer redo https://protected.personal.psu.edu/ –http://blogs.psu.edu/ may have a protected versionhttp://blogs.psu.edu/ Demonstration

21 The Pennsylvania State University © 2007 Resources Apply for Web space –Individual: http://www.work.psu.edu/webspace/http://www.work.psu.edu/webspace/ –Course: http://aset.its.psu.edu/accounts/cola.htmlhttp://aset.its.psu.edu/accounts/cola.html –Departmental: http://aset.its.psu.edu/accounts/dept.htmlhttp://aset.its.psu.edu/accounts/dept.html –Student Org: http://www.clubs.psu.edu/info/start.htmlhttp://www.clubs.psu.edu/info/start.html Apply for User Managed Group (explicit) –http://aset.its.psu.edu/accounts/accountsforms/http://aset.its.psu.edu/accounts/accountsforms/ Regular: Apply for Services > “Create a User Managed Group for Personal or Departmental space” Course group: Manage Services > “Create a User Managed Group for a Course” Authentication / Authorization control basics –Set UMG in ACLs: https://umg.its.psu.edu/instructions.shtmlhttps://umg.its.psu.edu/instructions.shtml –Basic password protect: http://css.its.psu.edu/publish/htpasswd/http://css.its.psu.edu/publish/htpasswd/ –WebAccess for Web dev: http://aset.its.psu.edu/docs/webaccess/http://aset.its.psu.edu/docs/webaccess/

Download ppt "The Pennsylvania State University © 2007 Web-Based Access Control for ITS Web Services, Present and Future Jeffrey C. D’Angelo, Programmer/Analyst, Enabling."

Similar presentations

A digression The next feature of programming HTTP clients that we will consider is user authentication Before considering that, however, we will digress.

A digression The next feature of programming HTTP clients that we will consider is user authentication Before considering that, however, we will digress.
Policing the Power of Identity Controls Power Behavior Verify that controls are in place and functioning Monitor user behavior and verify that people.

Policing the Power of Identity Controls Power Behavior Verify that controls are in place and functioning Monitor user behavior and verify that people.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.

Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
1 THE UNIVERSITY OF HONG KONG COMPUTER CENTRE Introduction to Agnes Chau Computer Centre Updated September 3, 2007.

1 THE UNIVERSITY OF HONG KONG COMPUTER CENTRE Introduction to Agnes Chau Computer Centre Updated September 3, 2007.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
Access Control Lists and NTFS Permissions INFO333 – Lecture 4 2010 Mariusz Nowostawski Noria Foukia.

Access Control Lists and NTFS Permissions INFO333 – Lecture Mariusz Nowostawski Noria Foukia.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
© 2010 VMware Inc. All rights reserved Access Control Module 8.

© 2010 VMware Inc. All rights reserved Access Control Module 8.
Access Control Module 8. Module 2-275 You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A vSphere Environment Introduction to VMware.

Access Control Module 8. Module You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A vSphere Environment Introduction to VMware.
Portal and AQAS-Philadelphia University 21-22/6/2011 AVCI Platform in PU Dr. Abdel-Rahman Al-Qawasmi Philadelphia University Director of Computer Center.

Portal and AQAS-Philadelphia University 21-22/6/2011 AVCI Platform in PU Dr. Abdel-Rahman Al-Qawasmi Philadelphia University Director of Computer Center.

Similar presentations

Ads by Google