Remote access to databases

Richard L. Goerwitz III richard at goon.stg.brown.edu
Tue Jun 16 22:22:53 EDT 1998 

Alan Bogage poses a fundamental question:

> We have a number of web based periodical databases (IAC, SIRS, etc.) to
> which we need to provide remote access for our students and faculty.  I
> understand that somehow we need to create a database of our users which
> can be based on their library barcodes.  Since the vendors are
> authenticating via our ip addresses, how can a remote user "grab" one of
> our ip addresses and send that to the vendor?

In other words, how to we make off-campus users look like on-campus
ones?

This is a question that librarians on nearly every campus are asking.

One trick is to have the off-campus users authenticate to a proxy web-
server.  This proxy server sits on campus, and can pass requests for IP-
restricted resources on to remote servers.  As it receives results back
from these remote servers, it passes the results back to the client.

This way, the remote server thinks it's talking to a machine on campus,
when in fact that machine is just forwarding requests for a user that is
really coming in from off-campus.

There are a couple of problems with this scheme.  First of all, it seems
that most campuses use plain-text authentication.  That is, they are hand-
ing out PIN numbers (or worse yet, cluster login IDs or Kerberos principals
and passwords) as plain characters that any hacker with access to the net-
work traffic can read.  This is not good.

A second problem is that most campuses use "basic" proxy authentication.
This means that if the user authenticates to the proxy and then walks away
from his or her machine (say it's a cluster machine at another institution),
then anyone who comes along afterwards can access any IP-restricted resource
that the proxy makes available.  The next user (and in fact any subsequent
user) can then surf any of your licensed databases, using the identity of
the previous authenticating user.  This will work as long as the browser is
still running.  The user has to remember to close it when he or she is done!

A third problem is that most proxies require that clients change their brow-
ser's configuration.  This isn't terribly difficult for a personal machine.
But if the user is a faculty member off at a conference with nothing but,
say, a friend's machine, then this approach can be problematic.

Various proxy-like solutions have been developed that get around these prob-
lems.  Two, in particular, are the UVa's mIm and Brown University's Pass-
Through Proxy.  Here are some technical specs:

  http://www.itc.virginia.edu/department/org/atg/mImabs.html
  http://www.stg.brown.edu/pub/proxydoc/report.shtml

Brown's system has recently been discussed in D-Lib Journal:

  http://www.dlib.org/dlib/june98/stg/06goerwitz.html

(Yes, that's a plug.)

Richard Goerwitz

More information about the Web4lib mailing list