Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Penn WebLogin Authentication of Static Web Pages

Introduction

Web servers at Penn which are running Apache can install an Apache module which will allow them to secure static web pages using PennKey authentication via local directives in the Apache .htaccess files. The following directions assume that Penn WebLogin has already been installed and configured on the web server.

Instead of users entering an Apache username/password to view restricted web pages, websites which take advantage of these Apache/Penn WebLogin modules can have users authenticate themselves by using their PennKey and password. The main advantage of this is that the website maintainers do not have to create and maintain a separate list of usernames and passwords for each website they wish to protect. Server administrators who wish to install the Apache/Penn WebLogin modules should visit:

For any web page requiring PennKey authentication, the web server will expect the appropriate validation credentials to be passed to it before authorization to the web page is granted. If the user has already authenticated him/herself, this information will automatically be passed to the web server when the request for the page is made. If the web server does not receive valid credentials, it will perform a redirect to ISC's secure web server so that the user may PennKey authenticate him/herself. Once this step has been completed, the user will be redirected back to the page that was originally requested. The web server takes all steps to validate that the user is properly authorized and appropriately allows or denies access to the page.

Protecting web pages

Use of the Apache/Penn WebLogin modules requires that your server be registered as a Penn WebLogin service. The server administrator for your server should first register a Penn WebLogin service for the server and review the instructions for the Apache/WebLogin modules for more details. If your pages reside on an IIS server, please see your server administrator.

Users of the www.upenn.edu web hosting service: www.upenn.edu is already a registered Penn WebLogin service. Content providers of www.upenn.edu and all virtual hosts running on that server can restrict directories and files. If you are already a provider on www.upenn.edu and already have restricted pages, you can follow the directions below to create your .htaccess file in your restricted directory. If you are a provider on www.upenn.edu but have never restricted pages, you must first contact staff to have space assigned on the secure filesystem. You can contact the ProDesk or you can create a ticket yourself to request the initial setup.

.htaccess Directives

Following are the directives that you can add to the .htaccess that will work with the Penn WebLogin server if your web server has been set up with the Apache/Penn WebLogin modules. As with any .htaccess file, the directives will affect the directory where the .htaccess file is placed and any subdirectory in that directory.



Directive Description
CosignProtected On example:
CosignProtected On

This is one of three options that is required to enable PennKey authentication. This directive must appear in the .htaccess file.
AuthType Cosign example:
AuthType Cosign

This is the second option of three that is required to enable PennKey authentication. This directive must appear in the .htaccess file.
CosignRequireFactor UPENN.EDU example:
CosignRequireFactor UPENN.EDU

This is the third option of three that is required to enable PennKey authentication. This directive must appear in the .htaccess file.
AuthGroupFile example:
AuthGroupFile /usr/local/ftp/html-ssl/computing/software/.auth_file
To require that the user also pass an authorization step, denote this on a separate line in the .htaccess file using the AuthGroupFile directive. This must be used with the require group directive. The path to the auth file must be a full directory path. The authorization file contains a space separated list of PennKey(s).

Sample of contents of an authorization file:
pennweblogin: ben_franklin amy_gutmann judith_rodin
require group example:
require group pennweblogin

To require that the user also pass an authorization step, denote this on a separate line in the .htaccess file using the require group directive. This must be used with the AuthGroupFile directive. The group name must match the group name that is specified in the AuthGroupFile i.e. "pennweblogin".


Service Alerts

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania