IP & ID/Password Security on Web Servers

[Steve Sloan (HIL)]

> Anyone have any success in merging IP & ID/Password security for
> restricted access web pages (e.g. link to resources restricted a
> particular clientele, such as a campus' students & faculty)? 
> 

At the University of New Brunswick (Canada) we have a very 
slick system designed by one of the geniuses in the Computing 
Centre.  I'm not sure it can be duplicated at a lot of other 
institutions.
But I'll attempt to describe it, as it does exactly what you want.

Key to the system is a Ph database that holds information 
on every student and faculty member.  I believe that such a 
system is freely available.  Various other databases "feed" the 
Ph system with updates.  Included with every record is a PIN,
which is known only to the individual.

Our Web server is the Netscape Commerce server.  The fellow
in the Computing Centre wrote a series of programs, at least some
of which he called "Netscape exits".  By modifying the server 
configuration files, these programs are called when a user tries
to access specific protected files and directories.  The programs
prompt for a person's ID and PIN.  They then check the Ph 
database to ensure a match.  They can also check other criteria.
We can restrict access to only faculty, for example.

Once the authorization is given, the Web page appears in the 
browser.

A cookie is also stored with the browser.  The individual ca 
access other protected pages for 24 hours or until the browser is 
closed without having to re-enter an ID and PIN.

At the library, we use this system to protect such things as the
login page to our ERL WebSPIRS system.  Works like a charm.

As you may have noticed, my understanding of the way in 
which this system works is not complete.  But I hope the 
description may prove useful.  I have no idea if the code 
is available but I can ask if there is some interest.

Stephen Sloan
Systems Librarian and University WebMaster
University of New Brunswick
Fredericton, NB  Canada