Using WebAuth in Core web environment

From Syscore

Overview

This is a brief overview on how to WebAuth-enable, or protect, web pages and applications running on the central UMBC Web environment. WebAuth is available as an authentication method within the Apache web server that is running on the central UMBC web server, including most virtual-hosted sites. Utilizing WebAuth in your applications only requires manipulation of a ".htaccess" file. Detailed syntax and options are covered in the Apache 1.3 documentation.

A "basic" .htaccess file that restricts access to a page to any UMBC-authenticated user:

WebAuthEnabled Yes
AuthType WebAuth
require valid-user

However, as being a UMBC-authenticated user does NOT imply any affiliation with the university, you may wish to alter the require statement to better restrict access, such as:

require attribute ( person;affiliation="faculty" ) or ( person;affiliation="staff" )

will restrict access to the protected web resource to only faculty or staff.

Currently, with the default configuration available for general use, the above "person;affiliation" attribute is the only one available.

Almost Full Documentation:

WebAuthEnabled [Yes|No]

Enable processing by the WebAuth authentication module.

WebAuthRequired [Yes|No]

This isn't used much, it requires WebAuth processing even if there was no "require" statement later on.

WebAuthPassAttrs [Yes|No]

Pass all attributes available in the WebAuth token into the environment, prefixed with ATTR_.

require

The apache "require" clause can have three actions "valid-user", "user", or "attribute". The valid-user action simply allows anyone through that has any sort of WebAuth credential, and is probably not what you want to do; however, it may be useful if you are relying on the underlying application to do the authorization. The user action can be followed by a list of ticket princpals (comma separated) that may have access. For example:

require user banz,jack,fritz

will allow through those usernames. The attribute action is the most useful, as it allows you to construct some logic to restrict access to your pages, like in the example above.