[WEB4LIB] Intranets and IP authentication and bears, Oh my!

James Cayz cayz at lib.de.us
Thu Dec 21 16:01:40 EST 2000


On Thu, 21 Dec 2000, Masters, Gary E wrote:
>Since I arrived at FDA in April, I have been working to solve a problem with
>IP authenticated subscriptions.  The problem is that FDA has only one IP
>address  because of the firewall configuration.  If we subscribe to an
>engineering service that our center wants (I am in the Center for Devices
>and Radiological Health) and have it on our intranet web page, everyone in
>FDA can use it.  (There are few outside of our Center who use that data,
>since the other centers are food or drugs, but it is difficult to convince a
>database vendor that is true.)
>
>However, since we have a Journals list, a electronic journals list, a
>electronic journals with CDRH access only, electronic newsletters, and one
>other, there are too many list for people to cope with.  We are putting all
>of the list into the database of journals with one entry point.  One list of
>all of our journals.  
>
>Then the question is "what to do with the passwords?"
>[...]
>		Gary E. Masters
>		Librarian (Systems)
>		CDRH - FDA
>	(301) 827-6893 

Gary,

How about this:

If your database is "static", have the link from the entry to go a
intRAnet page.  That page makes a determination of Yes/No based upon your
internal IP address (SSI or cgi script), and either shows you the
password, or automatically does a redirect to the outside journal site,
with the userid and password embedded in the page.

If the database is dynamic, you could build the Yes/No determination right
into the database.  For instance, if the database was presented in an HTML
format, and you had Server Side Includes (SSI) turned on on your
webserver, you could use a simple SSI command to say "If the internal IP
address is in the CDRH range, give them the URL to the selected database
(maybe with an embedded userid / password redirect), Otherwise, print the
name of the journal and then 'for CDRH use only'".

Neither of these keeps someone from getting the userid / password once
during a legitimate session, and using them other times (unless you use
referring URL on the vendor's end), but it does keep the accidental use
down..

The second is just one of the ways I've done remote database
authentication in the past.

Hope this helps.

James Cayz

+--------------------------------------------------------------------------+
| James Cayz          Telecommunications / Network Technician IV           |
| Email:cayz at lib.de.us     Voice:302-739-4748 x130      Fax:302-739-6787   |
| Delaware Division of Libraries # 43 S. DuPont Hwy / Dover, DE 19901-7430 |
+--------------------------------------------------------------------------+





More information about the Web4lib mailing list