Volume 6, No 3 Information Technology News of the University of California, Davis November 1997
Distributed Web Authentication Projectby Richard DarsieTo protect copyright and comply with software licensing restrictions, some campus sites and services are currently restricted to access from computers with "ucdavis.edu" addresses only. Examples of sites and services so restricted include Melvyl databases, site licensed software distribution sites, some course Web sites, the campus news service, and many sites with confidential information such as financial or academic records. The current authentication method is to check the address of the incoming request for access, and to permit access only if it is coming from a campus IP (Internet Protocol) address. Unfortunately, persons using a third-party Internet Service Provider for off-campus access are not coming from a campus-based IP address, and this authentication technique will not permit them to access certain online campus resources, such as restricted Web pages and campus newsgroups. Being "authenticated" simply means that the system has verified that you are who you say you are. To address these limitations, a team of I.T. and departmental technical staff are developing campuswide services which will allow departments to limit access to their online resources by username and password, instead of by IP address. This service will be available at the beginning of January, 1998; the testing phase is now underway. The new authentication procedure will make use of the Kerberos security server, which is already employed by such campuswide administrative services as GUI Banner and DaFIS (see "You Asked..." feature). Doreen Meyer of Distributed Computing Analysis & Support made a presentation about this project to a roomful of Technology Support Coordinators (TSCs) on November 11. The information was presented in a non-technical fashion and is further disseminated here because of its importance to the campus. Slides from the presentation are online at http://dcas.ucdavis.edu/authentication/webauth/. The new authentication system has potentially two levels of security: a base level open to all users, making use of Kerberos and a global "ucdavis.edu" browser cookie, and a higher level for those with access to AFS space, which additionally makes use of an AFS file check. (The terms "cookie," "authentication," "Kerberos," and "AFS" are defined here. Please note that this procedure depends on the user's browser being set to accept cookies. If you have disabled your browser's ability to accept cookies (many people do this), you will not be able to be authenticated. To check on whether your browser is set to accept cookies, and to reset the browser to accept cookies if necessary, open your browser's preferences file. Note that on this campus, the cookies created by the authentication service will not be tracked or maintained for any reason other than authentication. Elsewhere on the Web, cookies are often used for collecting information about a particular user and his/her interests. From the user's perspective, the authentication operation will proceed as follows:
The next phase of the Web authentication project will include a survey of Web site managers on campus, beta testing by volunteer campus Webmasters, and the posting of Recommended Solutions documents. A Web site will soon be in place with detailed platform-specific instructions and downloads of the necessary software and files to implement this authentication procedure. The testing phase will determine which platforms will support the new procedure; there are no guarantees that all platforms will be supported, but the most widely used ones certainly will be. Finally, this particular scheme of Web-based authentication is an interim solution, and will be active in the time frame of 18 months to two years, at which time a more robust and flexible authentication service will be in place. For more information, visit http://cr.ucdavis.edu/projects/distributed.htm and http://dcas.ucdavis.edu/access/distauth/. Vicki Suter and Doreen Meyer of Distributed Computing Analysis & Support (DCAS) contributed to this article. |