Documentation - Contributed Webserver: Using WebISO Authentication
WebISO Overview
Computing Services runs a WebISO (web initial sign-on) server that allows andrew users to authenticate once per session to a trusted andrew server and then access many campus resources without re-authenticating. Services such as Blackboard, OLR, and My Andrew use this. The contributed webserver can also use it.

How to Use
WebISO can be used on the contributed webserver to restrict access to specfied directories to authenticated users.

To restrict access to a directory (and all directories beneath it) to any CMU user, place a file called .htaccess in the directory containing the following lines:

AuthType WebISO
Require valid-user

To restrict access to a directory (and all directories beneath it) to a specific set of CMU users, use the following lines instead:

AuthType WebISO
Require user [user1]@ANDREW.CMU.EDU
...
Multiple Require lines may be present to allow access to any one of the listed users. Other realms such as CS.CMU.EDU supported by andrew's WebISO server may also be used.

CGI Script Interaction
If a CGI script is placed in a WebISO-protected directory, special environment variables are set by the webserver indicating the authentication type and the identity of the user currently accessing the script.

Specifically:

VariableContents
AUTH_TYPEWebISO
REMOTE_USER[user]@ANDREW.CMU.EDU (or CS.CMU.EDU, or...)
The way these variables are accessed depends on the scripting language. In perl, for instance, AUTH_TYPE would be referred to as $ENV{'AUTH_TYPE'}

CRITICAL LIMITATION
Though you can restrict the serving of content via the contributed webserver to specific users, because all static content (directly served web pages) and CGI scripts must be world-readable in AFS, no real immediate security is present. Anyone who can access AFS can still retrieve the documents directly. Using WebISO simply restricts what is served via the web.

In some cases, web-only restriction might be enough for your purposes. However, using the authenticated AFS support option we provide, you may use a CGI script as a gateway to content that is in a protected directory.

 

Back to contributed webserver documentation table of contents

Back to documentation table of contents


  Copyright © 2004-2006 CMU Computer Club
  Send comments or issues about this site to webmaster@club.cc.cmu.edu
  Direct all other correspondence to gripe@club.cc.cmu.edu