| FOR ARCHIVAL PURPOSES ONLY
The following instructions apply to using Websec
to authenticate for web applications. Websec was retired
in December 2009 and replaced
by a new authentication system, Penn Weblogin.
Overview of the Websec module's flow of control
A graphic representation of the Websec module's flow of control is available.
- The user goes to a web page where a service is offered.
- If the application that the user wishes to use has been registered as a Websec application and now requires PennKey authentication, he or she will click on a link which points to ISC's PennKey authentication page. This link will contain a string that specifies the registered application name for which the authentication will be taking place. For example, if authentication is required for access to an application registered as "school_survey", the link on the application provider's home page will be specified as follows:
- Upon clicking on this link, the user is transferred to ISC's Websec webserver and presented with a screen to validate him/herself with a PennKey and password. He or she has only has 45 seconds to do so.
- The Websec module PennKey authenticates the user. If PennKey authentication fails, the PennKey/Password combination is incorrect, or the time limit has been exceeded, a screen is returned indicating the problem and the process stops. The user is given the option to reload the authentication page and start over.
- If PennKey authentication is valid, a screen is returned to the user indicating that authentication has succeeded and to submit the form to continue with the application. This form possesses the hidden field 'websec_token', which contains a token. This token has been generated by the Websec module and stored, along with other relevant information, in its token database.
- The user submits the form. The 'websec_token' is passed by the browser to a POST/CGI program representing the first page of the application, located on the application's server. With client/server routines provided by ISC, the application can check the validity of the token by querying the Websec module's token database, located on ISC's Websec webserver. If the token is valid, the application knows that the user has authenticated him/herself for that application. If it is not valid, either the user has not authenticated him/herself successfully, the token has explicitly been expired, the token has timed out, or the application for which the token was created is not the same as the one asking for information about the token.
- For each successive page of the web application, if the developers of the application wish to continue to use the token functionality of the Websec module to maintain "state", they must pass the token back to the web browser as a hidden field or set a client-side cookie containing the token. Upon arrival to each new page, the application must check the validity of the token, following the rules in the above step.
If the developers of the application do not wish to continue using the token functionality of the Websec module, they must develop their own method of maintaining "state", such that for each operation a user performs, they have the assurance that the user has appropriately been PennKey-authenticated. This may be the case for applications which launch client-side programs, such as Java applets.
NOTE: if developers wish to use their own method of maintaining state, they MUST first check the validity of the token by querying Websec module BEFORE doing so, or the token may be invalid and unauthorized users may gain access to the application.
- Once a user is done with the application OR the application is finished with the Websec module's token database, the application should expire (remove) the token from ISC's Websec token database.