Chapter 10. Access control

Table of Contents
10.1. Two posibilities
10.2. Access control based on client IP address
10.3. Access control by client identity
10.4. Variations on a theme of user identification
10.5. University of Cambridge 'Raven' authentication
10.6. Mix and match: Location and Authentication
10.7. Blocking access to files

Two ways. There are two ways to do access control: by the location of the client and by the identity of the user operating the client.

Client location. There is a brief discussion of why this mechanism is fraught with difficulties caused by proxies and the like. Then the commands to implement it are covered.

User identity. There is a discussion of the Basic and Digest protocols for user identification. Access by user or group and user administration is then covered.

Raven. The University's Raven Web Authentication System is briefly described.

Mixed working. The mixed case of authorising passwordless access from within the institution but requiring authentication from outside will be given in detail.

Blocking names and directories. Application of access control to block access to files with particular names, and to entire directories, is discussed.

10.1. Two posibilities

Now we move to the topic of access control. There are fundamentally two ways of doing this: by client location and client identity.

Client location involves specifying whether access is permitted based on the IP address or hostname of the client (i.e. browsing) system. When a request is received by the server the IP address from which the request was received is known. This address, or the hostname associated with it in the DNS, is checked against a set of rules to determine whether or not the request should be honoured.

Proxy servers

Client location security is often used within the University for restricting access to an institution or to the University, loosely defined as "anything in". This approach doesn't work but is often regarded as "good enough" to keep happy the politicians, lawyers and other people who don't understand technology. From the point of view of the web administrator it also has the advantage of simplicity. The reason it doesn't work is that web proxies can forward a request from outside Cambridge on to a server within Cambridge which sees the request coming from within Cambridge and honours it. The Computing Service has had its internal minutes cached on Google for the whole world to read after a web proxy on the CS staff network went unnoticed.

External users

It's increasingly common for members of the University to use computers not connected to the University network - people with broadband at home, people working from wireless networks while travelling, etc. In some cases people use such connections almost exclusively and this trend can be expected to increase. Security based on client location denies these users access to information which they are intended to be able to see.

Client identity involves challenging the user to quote some means of identifying him or herself before permitting access to the document requested. This has the advantage of dealing with proxies, but the disadvantage of requiring administration of the userids and passwords. A common compromise is to create a single userid and password for a set of pages and pass the pair on to anyone who needs access. This has the disadvantage that you don't know which of your users read the pages, but often you don't want to know.

To avoid the password administration problem, the Computing Service provides a central authentication system that web administrators can use if the want. This allows members of the University to identify themselves using a centrally administered user-id and password.