Web Conference 2005
Writing PHP for ITS/ASET Web services
Using Penn State WebAccess
|
|
Web Conference 2005Writing PHP for ITS/ASET Web servicesUsing Penn State WebAccess |
|
| <- Back - Security Controls and Practices | | | Up | | | Using The Penn State Directory (currently LDAP) - Next -> |
Penn State WebAccessYou may choose to use Penn State WebAccess (https://webaccess.psu.edu/) to restrict access to your site for only authenticated Penn State Access Accounts and/or Friends of Penn State Accounts.
To use WebAccess, follow the directions on php.scripts.psu.edu, which will probably ask you to send a note to the administrators asking for a particular folder of your site to be linked from the WebAccess protected area of the server, https://php.scripts.psu.edu/webaccess/.
Once the link has been set properly, requests to the secure URL will require authentication. You may want to prevent visitors from accessing the site from the old URL and bypassing the authentication step. One common and friendly way is to put a redirect from the old URL to the secure URL.
You may also wish to restrict which accounts may have access. By default, all Access Accounts and all FPS Accounts will have access to your site. Since anyone on the Internet can request an FPS account, you should do this step before allowing access to more private data or features of your site.
You may restrict to only Access Accounts by requring the REMOTE_REALM be "dce.psu.edu".
You may restrict to individual IDs by checking the REMOTE_USER environment variable.
You may restrict to individual IDs that match a certain criteria of LDAP Directory information (which you will learn about in the next section).
As mentioned earlier, you may learn how to request a folder of your site to be protected by Penn State WebAccess authentication via the php.scripts.psu.edu homepage. Typically this would require you to specify which folder you want protected.
By default both Penn State Access Accounts and FPS accounts have the authorization to view your site after login. To restrict to only Access Accounts, create a file in Notepad called .htaccess(*) for uploading to your site with the following content:
SSLRequire %{ENV:REMOTE_REALM} == "dce.psu.edu"
Alternatively, you may perform your own restriction within PHP by
checking $_SERVER['REMOTE_REALM']. It will be dce.psu.edu for Penn State Access Accounts and fops.psu.edu for FPS.
You can find the userid from the $_SERVER['REMOTE_USER'] variable.
The following code restricts access to the site via a list of userids placed in the PHP code:
<?php
$valid_users = array(
"xyz123" => 1,
"abc123" => 1,
"jcd" => 1,
);
if( ! isset($_SERVER['REMOTE_REALM']) or ! isset($_SERVER['REMOTE_USER'])){
if(FALSE == strstr($_SERVER["SCRIPT_URI"],"https://php.scripts.psu.edu/webaccess")){
// It looks like we did not go to the WebAccess protected
// URL on php.scripts.psu.edu - let's redirect the user there.
header("Location: https://php.scripts.psu.edu/webaccess" . $_SERVER['PHP_SELF']);
}else{
// It looks like WebAccess is not working for some reason.
// Exit with an error.
print_not_logged_in();
}
}elseif($_SERVER['REMOTE_REALM'] !== "dce.psu.edu"){
print_not_access_account();
}elseif( ! isset($valid_users[$_SERVER['REMOTE_USER']]) ){
print_not_valid_user();
}else{
print_welcome();
}
function print_not_logged_in()
{
?>
<html>
<body>
<p>Error: System did not log you in.</p>
</body>
</html>
<?php
}
function print_not_access_account()
{
?>
<html>
<body>
<p>FPS Accounts not permitted.</p>
</body>
</html>
<?php
}
function print_not_valid_user()
{
?>
<html>
<body>
<p>Account <?=$_SERVER['REMOTE_USER']?> not authorized.</p>
<li><a href="/cgi-bin/logout.pl?http://php.scripts.psu.edu/staff/j/c/jcd/phpclass/">Logout</a>
</body>
</html>
<?php
}
function print_welcome()
{
?>
<html>
<body>
<p>Welcome, <?=$_SERVER['REMOTE_USER']?>. Main Menu</p>
<ul>
<li><a href="notes.php">Notes</a>
<li><a href="agenda.php">Agenda</a>
<li><a href="calendar.php">Calendar</a>
<li><a href="/cgi-bin/logout.pl?http://php.scripts.psu.edu/staff/j/c/jcd/phpclass/">Logout</a>
</ul>
</body>
</html>
<?php
}
?>
Windows has a problem dealing with files that begin with a period. You may need to name the file htaccess.txt before saving it to the server. After saving it to the server, you may rename it to the proper name, .htaccess.
| <- Back - Security Controls and Practices | | | Up | | | Using The Penn State Directory (currently LDAP) - Next -> |
|
If you have any questions, feel free to ask me. Content by: Jeff D'Angelo <jcd@psu.edu> © 2005 Last update on: Wed Jun 15, 2005, 11:11:50 PM |
|