Special Information for Web Developers

This area is designed to provide additional information for web providers and web application developers who are responsible for designing, programming, or implementing limited-access, web-based computer applications or web sites. Unlike public web sites, limited-access web applications and web sites are for use only by authorized users and require user authentication.

Critical Host Policy Information for Web Application Developers

The Critical Host Policy describes the requirements and constraints for attaching and securing a critical computer to PennNet. One requirement is that passwords cannot travel over Penn's network in clear text. The policy also provides "best practice" recommendations to guide system administrators in further steps to protect PennNet-connected systems. The purpose of the Critical Host Policy is to ensure that all systems installed on PennNet are maintained at appropriate levels of security while at the same time not impeding the ability of users and support staff to perform their work.

Web application developers are encouraged to read the complete policy.

Frequently Asked Questions about Securing Web Applications and Web Pages

How does the critical host policy apply to web developers?

In two ways:

1. If your web application contains sensitive data or supports a critical University-wide function, then you must comply with all requirements of the Critical Host policy including the requirement that end users use strong authentication for http connections (i.e. they no longer send unencrypted passwords between their browsers and the web server). The simplest way to comply with this requirement is to use SSL/TLS to encrypt all http traffic.
   
   ISC has developed the Websec module so that web developers may easily create PennKey-authenticated web applications. By using the Websec module, these applications will only allow access if the user has successfully identified him/herself by entering a correct PennKey and password combination. Further information can be found by visiting the Securing Web Pages section of the computing web.
   
   
2. If content providers use FTP to transfer content to your web server, you must provide them with a secure file transfer option that uses strong authentication. Standard FTP uses weak authentication (i.e. unencrypted passwords.). Consult the Supported Products web site to learn about FTP clients that satisfy the critical host policy and are supported by Penn. FTP clients can protect passwords via Kerberos, SCP and standard FTP with SSH port forwarding.

Will Websec be discontinued?

Since Websec does not support GSSAPI Kerberos authentication, it is not part of Penn’s long-term authentication strategy and is expected to be replaced with another authentication method. Web developers will be given at least 12 months notice before a Websec replacement is implemented and Websec support is withdrawn.

What else do I need to control access to my web application besides Websec?

A: Websec only authenticates people. It doesn’t tell you whether or not that person is authorized to use your application. Many people not directly affiliated with the University have been assigned PennKeys, so you can not conclude that someone is affiliated with Penn just because they have a PennKey and password.

After you have authenticated the user, the next step is for your application to decide whether or not that person is authorized. Often, that decision can be made based on biographic/demographic data available in the Penn Community database.

What is the difference between using PennKey for Websec authentication and using it for Kerberos authentication?

Your PennKey has two functions and they are quite different.

1. Your PennKey can be used for Kerberos authentication. This requires you to authenticate only once a day, using a Kerberos ticket manager. For the rest of that day, you will be able to use Kerberos Single Sign-on – meaning that you may connect to any Kerberized campus service without having to authenticate again.
2. Your PennKey can also be used to authenticate to a variety of web-based applications (two examples are U@Penn and BEN Reports). However, in this context you are not using Kerberos authentication but another authentication protocol, called RADIUS. You will need to enter your PennKey each time you use an application, regardless of whether you authenticated to the same application earlier in your computing session.

There is not a good solution today to completely replace Websec with Kerberos. However, ISC is evaluating different technologies and hopes in the near future to announce a Kerberos-compliant solution that will allow you to enter your PennKey and password once, obtain a Kerberos ticket, and be able to authenticate to Penn web services.