« userpages.umbc.edu disabled account handling | Main | Blackboard reboot »

Using WebAuth in the central UMBC Web Environment

This is a brief overview on how to WebAuth-enable, or protect, applications running on the central UMBC Web environment. WebAuth is available as an authentication method within the Apache webserver that is running on the central UMBC webserver, including most virtual-hosted sites. Utilizing WebAuth in your applications only requires manipulation of a ".htaccess" file. Detailed syntax and options are covered in the Apache 1.3 documentation.

A "basic" .htaccess file that restricts access to a page to any UMBC-authenticated user.

WebAuthEnabled Yes
AuthType WebAuth
require valid-user

---

However, as being a UMBC-authenticated user does NOT imply any affiliation with the university, you may wish to alter the require statement to better restrict access, such as:

require attribute ( person;affiliation="faculty" ) or ( person;affilation="staff" )

will restrict access to the protected web resource to only faculty or staff.

Currently, with the default configuration available for general use, the above "person;affiliation" attribute is the only one available.

Almost Full Documentation:

WebAuthEnabled [Yes|No]
Enable processing by the WebAuth authentication module.

WebAuthRequired [Yes|No]
This isn't used much, it requires webauth processing even if there was no
"require" statement later on.

WebAuthPassAttrs [Yes|No]
Pass all attributes available in the WebAuth token into the envioronment, prefixed with ATTR_.

require clause
The apache "require" clause can have three actions "valid-user", "user", or "attribute".
valid-user simply allows anyone through that has any sort of WebAuth
credential, and is probably not what you want to do; however, it may be useful
if you are relying on the underlying application to do the authorization.
user can be followed by a list of ticket princpals (comma separated) that may have access. For example:
require user banz,jack,fritz
Will allow those with those usernames.
attribute is the most useful, as it allows you to construct some logic to restrict access to your pages, as shown in the example above.

Posted by Rob Banz on April 19, 2005 9:44 AM |

Comments (1)

John:

Rob,

This really should be posted on the Guides to Web Publishing site (http://www.umbc.edu/oit/webdev) I started and Vergil maintained. Or at least include it in the OIT News blog.

John

Posted by John | April 23, 2005 11:31 PM

Posted on April 23, 2005 23:31

Post a comment

Search


About

This page contains a single entry from the blog posted on April 19, 2005 9:44 AM.

The previous post in this blog was userpages.umbc.edu disabled account handling.

The next post in this blog is Blackboard reboot.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.34