This area is designed to provide additional information for web providers and web application developers who are responsible for designing, programming, or implementing limited-access, web-based computer applications or web sites. Unlike public web sites, limited-access web applications and web sites are for use only by authorized users and require user authentication.
The Critical Host Policy describes the requirements and constraints for attaching and securing a critical computer to PennNet. One requirement is that passwords cannot travel over Penn's network in clear text. The policy also provides "best practice" recommendations to guide system administrators in further steps to protect PennNet-connected systems. The purpose of the Critical Host Policy is to ensure that all systems installed on PennNet are maintained at appropriate levels of security while at the same time not impeding the ability of users and support staff to perform their work.
Web application developers are encouraged to read the complete policy.
How does the critical host policy apply to web developers?
In two ways:
Will Websec be discontinued?
Since Websec does not support GSSAPI Kerberos authentication, it is not part of Penn’s long-term authentication strategy and is expected to be replaced with another authentication method. Web developers will be given at least 12 months notice before a Websec replacement is implemented and Websec support is withdrawn.
What else do I need to control access to my web application besides Websec?
A: Websec only authenticates people. It doesn’t tell you whether or not that person is authorized to use your application. Many people not directly affiliated with the University have been assigned PennKeys, so you can not conclude that someone is affiliated with Penn just because they have a PennKey and password.
After you have authenticated the user, the next step is for your application to decide whether or not that person is authorized. Often, that decision can be made based on biographic/demographic data available in the Penn Community database.
What is the difference between using PennKey for Websec authentication and using it for Kerberos authentication?
Your PennKey has two functions and they are quite different.
There is not a good solution today to completely replace Websec with Kerberos. However, ISC is evaluating different technologies and hopes in the near future to announce a Kerberos-compliant solution that will allow you to enter your PennKey and password once, obtain a Kerberos ticket, and be able to authenticate to Penn web services.