Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Simple Database Search - Restricting Access

You may wish to restrict who can search your database. Simple Database Search can restrict access to your database by three methods: If you plan to restrict access to your data, you are welcome to contact the webmaster@isc.upenn.edu for help but following are the steps that you need to take to restrict your data using either domain restriction of web passwords.
  1. Create a separate subdirectory that you can restrict so that the casual user can't see any of the files in this subdirectory. For example,
    /careerservices/pcn/restricted
  2. Restrict that subdirectory so that users can't see any of the files within that subdirectory:
    1. Create a file called .htpasswd that should be empty.
    2. Create a file called .htaccess and put in this file something like the following, substituting the full file path of your .htpasswd for the AuthUserFile value.
      AuthUserFile /usr/local/etc/httpd/htdocs/careerservices/pcn/restricted/.htpasswd
      AuthGroupFile /dev/null
      AuthName restricted-search
      AuthType Basic

      <Limit Get>
      require user searcher

  3. FTP your database file into this restricted subdirectory.

  4. Choose a method of restricting your data, either domain restricted, PennKey authenticated, or password protected.

  5. Edit your search configuration file to include the appropriate options for your method of restriction. If you opt to restrict access to your database, you cannot create your own search form but must allow the script to create your search form. You must also use the default navigational bar and should not include links to your database in any customized header or footer file.

Domain restriction

Domain restriction can be used alone or in combination with either PennNet ID authentication or password protection.

If you choose to use domain restriction and PennNet ID authentication, for example, Simple Database Search will check to see whether the domain of the user contains the domain you have specified in your search configuration file. If it does, the user will be allowed to search the database. If it doesn't, the user will be prompted for a password that the provider has chosen and will only be allowed to search the database if the user types in the proper password.

Add to your search configuration file:

domain_restricted Default: [none]
Syntax: domain_restricted=[domain name]
Example: domain_restricted=upenn.edu


PennKey authentication

Beginning December 21, 2009, the Websec central authentication system will be retired. Dbsearch had been using Websec to restrict access to yur database. The old instructions for setting up dbseach to use Websec are below but have been blocked and greyed out. If you are considering restricting access to your data, please follow the new instructions for using WebLogin with dbsearch.
New Instructions for restricting access to your data
To restrict access to your data, your data and configuration file must reside in a directory on the secure web server, https://secure.www.upenn.edu and that directory must be protected with WebLogin. Follow these steps to restrict your directory:
  1. Even if you already have a directory on www.upenn.edu or one of its virtual hosts, you must also have a complementary directory on secure.www.upenn.edu. If you don't already have a top-level directory on secure.www.upenn.edu, you can request one by sending mail to .
  2. WebLogin also uses a .htaccess file in the directory to be protected but the directives used are different from those used for Websec.
  3. You can continue to restrict your pages to a set of PennKeys but the format of the file that contains the PennKeys is different. See details on the AuthGroupFile directive for your .htaccess.
Old Instructions fo restricting with PennKey authentication
You can opt to present a user with a login form where he/she enters his/her PennNet ID and password. Once authenticated, the user will have 30 minutes to search your database before the session times out.

Add to your search configuration file:

pas_authenticated Default: off
Syntax: pas_authenticated=[off | on]
Example: pas_authenticated=on

If you opt to use PennKey authentication, you can also opt to only allow specified users to search your database. You would create a file with the PennNet ID's of those users who are allowed to search your database. FTP that file into your restricted directory.

Once a user authenticates, Simple Database Search will check the users listed in your authorization file for the PennNet ID of the user who has just authenticated and will only present the search form if the user's PennNet ID is in your authorization file.

Add to your search configuration file:

pasauthfile Default: [none]
Syntax: pasauthfile=[location of your authorization file]
Example: pasauthfile=/careerservices/pcn/restricted/auth.file


Password protection

You can create your own password for your database and the user will have to enter that password in order to search your database. Once authenticated, the user will have 30 minutes to search your database before the session times out.

You would put the password into a file. FTP that file to your restricted subdirectory. The name of the file must be the same name as your database file but with a .pw extension.

If your database file is named

database.txt
then your password file should be named
database.txt.pw

Add to your search configuration file:

password_protection Default: off
Syntax: password_protection=[off | on]
Example: password_protection=on

penn web developers
top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


University of Pennsylvania Penn Computing University of Pennsylvania Information Systems & Computing (ISC)
Information Systems and Computing, University of Pennsylvania