PROYECTO PAPI
Download
Report
Transcript PROYECTO PAPI
The PAPI System
Point of Access to
Providers of Information
http://www.rediris.es/app/papi/
Outline
Introduction
Requirements
Approximations to a solution
Configurations
Architecture of the PAPI system
Implementation
Future lines
[email protected] / [email protected]
PAPI - 2
The origin
Meeting between library consortia and
content providers
Original problem to solve: access control by
IP address
RedIRIS committed to provide a solution
Organizations:
Spanish library consortia
CICA, CSIC, UAM, UOC, UPM, CBUC
Content providers
SILVERPLATTER
GREENDATA
EBSCO
SWETS
ARANZADI
[email protected] / [email protected]
PAPI - 3
Requirements
Access control independent from IP origin
Upon successful local authentication, access
must be granted during a configurable period
of time to the services that the user is
authorized to
User mobility
Transparency to the user
Compatibility with other commonly employed
access control systems
Compatibility with Netscape/MSIE/Lynx
browsers
Privacy at the user level, while easing the
collection of statistics by providers
[email protected] / [email protected]
PAPI - 4
Approximation: Temporary Certificates
Authentication
Server
Temporary
Authentication
Certificates
Advantages:
data
HTTP + Certificate S1
request
Webaccess to
Temporary
browser
authorized services
Problems:
Web page
Web
Server S1
NOT TRANSPARENT
HTTP + Certificate S2
request
Password in browser
DB
Certificate S1
Certificate
S2
Allows
user mobility
Choice
Web page
Certificate S3
of the right certificate
Authentication is local to
user’s organization
Web to
Inf. providers not adapted
Server S2
this technology
Technology implemented in
main web servers
Does not detect certificate
duplication
[email protected] / [email protected]
PAPI - 5
Approximation: Partial Solutions
No transparency -> encrypted cookies
Advantages:
Problems:
Web servers not adapted -> Points of Access
Temporary access to
authorized services
Authentication
Server
Allows user mobility
Domain-name problems when
loading cookies
Does not detect cookie copying
Temporary
Authentication
is
local to
Authentication
Encrypt-cookies
user’s
dataorganizations
HTTP + Encry-cookie S1
request
adapted to
Access control is
Web
current web
servers of content
browser
Web page
providers
Encry-cookie S1
Encry-cookie S2
Encry-cookie
S3
Transparent
to the
HTTP
request
Point of
Access
Web
page
Web
Server S1
user
[email protected] / [email protected]
PAPI - 6
Approximation: Partial Solutions
Domain-name problems when loading cookies ->
Cookies served by PoAs
Authentication
Server
Authentication
data
Temporary
Signed-URLs
Signed-URL
Point of
Access
Encry-cookie
Web
browser
Encry-cookie S1
Encry-cookie S2
Encry-cookie S3
Signed-URL
Encry-cookie
[email protected] / [email protected]
Point of
Access
PAPI - 7
Approximation: Partial Solutions
Cookie copying -> Database of cookies
Short expiration time
HTTP + Encry-cookie S1
request
Web
Browser 1
DB of
Enc-cookie
HTTP
request
New
Encry-cookie
Enc-cookS1
S1
Web
page
+ New Enc-cook S1
Web
Browser 2
Point of
Access
HTTP + Encry-cookie S1
request
Web
page
Web
Server S1
Collision
Encry-cookie S1
[email protected] / [email protected]
PAPI - 8
Architecture of the PAPI system
URL: K_priv_AS (user code + server + path + Exp. Time + sign time)
Authentication
Server
Authentication
data
Temporary
Signed-URLs
Hcook DB
HTTP
request
HTTP + Hcook+Lcook
request
Web
browser
Encry-cookies
Point of
Access
Web page
+
New Hcook+Lcook
Web
page
Web
Server S1
Hcook: K1_PA (user code + server + path + Exp. Time + Random Block)
Lcook: K2_PA (user code + server + path + creation time)
[email protected] / [email protected]
PAPI - 9
Configurations
User's Organization
Information Provider
Authentication
Server
Authentication
Server
Authentication
Server
Point of
Access
Web
browser
Authentication
Server
Point of
Point
of
Access
Access
Point of
Access
Web
Server
Point of
Point
of
Access
Access
Web
Web
Server
Server
[email protected] / [email protected]
PAPI - 10
Implementation
Status: Version 1.0.0
Available at
http://www.rediris.es/app/papi/dist.en.html
Crypt functions:
OpenSSL
Authentication modules
Local auth, LDAP, POP3
Points of Access
mod_perl
Apache virtual servers
[email protected] / [email protected]
PAPI - 11
Future Lines
Enhancement of statistic collection at PoAs
More general implementation
Servlet(s)
Management tools (both for AS and PoA)
Interaction with information access software
Align to similar initiatives
Authentication objects
Alternative protocols for exchanging them
SPARTA, Shibboleth
[email protected] / [email protected]
PAPI - 12
Pilot of the system
Information
Providers
AS: Local
PoA: MEDLINE (ERL)
AS: LDAP
PoA: LISA DB (ERL)
AS: POP
PoA: Local DBs
AS: POP
PoA: Local DBs
[email protected] / [email protected]
PAPI - 13