Pansophy Authentication

chunkyscreechΔιακομιστές

4 Δεκ 2013 (πριν από 3 χρόνια και 7 μήνες)

97 εμφανίσεις

Pansophy Authentication


CFM files used
:
index.cfm
-
> authenticate1.cfm
-
> a
uthenticate2.cfm
-
>> CF_Auth2


From the main Pansophy screen, file
Pansophy/
index.cfm,

th
e
user selects “click here to
login” which calls authenticate1.cfm
.


Authenticate1.cfm ca
uses a

pop
-
up window
to

appear requesting your username and
password. Your username and password are the same as your CUE username and
password (J
L
ab site wide login).

Upon clicking “submit” the f
ile authenticate2.cfm is
called in secure mode, i.e.

https:/
/application.area/authenticate2.cfm
.


A
uthenticate2.cfm utilizes the
custom tag

auth2.cfm with arguments UserName and
Password.


The custom tag a
uth2
.cfm makes the following CF call to securely access a file protected
by Apache (or IIS). The file is Secur
eTest.cfm, found in the pansophy/secure directory on
the apache server (or IIS server).


<CFHTTP URL="https://pansophy.jlab.org/secure/SecureTest.cfm" METHOD="GET"
PORT="80" USERNAME="#
Attributes.
Username
#"
PASSWORD="#Attributes.Password#" RESOLVEURL="true
"
THROWONERROR="no"></CFHTTP>


A read of file contents is attempted.
If the file read
contains

SUCCESS then the security
login was successful and the user is considered “logged in”. If the file ca
n not be read
then login failed and an error message is thro
wn back to authenticate2.cfm.


If login was unsuccessful then an error is thrown back to authenticate1.cfm and the user
is given another chance to enter UserName and Password for verification.


If login is successful then window.opener.updateAuth (“#
sessi
on.username
#”) is called,
from within authenticate2.cfm, to update the picture which shows
the

user is logged in.


The pop up login window is then closed and the user is left with the index.cfm screen
displaying the appropriate grap
hic for successful on fa
ilure of user log
in.


The key to authentication is to appropriately set permissions on the directory and
file secure/SecureTest.cfm to which the CFHTTP call is made. For Apache this
mean
s

setting the directory
to

valid
-
user required.

For IIS, the setting i
s login
required to read. If the directory is set correctly then secure login/logout
authentication can be achieved.




APACHE

From the file httpd.conf:

<Location "/secure">


AllowOverride none


<IfModule mod_ssl.c>


SSLRequire
SSL


</IfModule>


Order deny,allow


Deny from all


Allow from .jlab.org .acc.jlab.org 129.57.


Require valid
-
user

</Location>


IIS

All authentication settings are made through the Internet Services Manager.

To set

the aut
hentication at any level.

1.

In Control Panel, double
-
click
Administrative Tools
, and then double
-
click the IIS
snap
-
in.

2.

Locate the ASP page icon, and then open the properties for the level to set, which
can be server, directory, or file.

Note

Authentication

settings are located on either the
Directory Security

or
File
Security

tab of the
Properties

sheet.



(From the Univ of Penn)

If you are running your computer as a web server, consider using
something other than Microsoft IIS

Windows 2000 and XP systems

come with the option to set up and run a web server
using Microsoft's Internet Information Server (IIS). However, IIS has been plagued with
vulnerabilities over the last few years, and three of the most serious Internet worms in
recent times (Code Red I,
Code Red II and Nimda) were written specifically to take
advantage of weaknesses in IIS. These weaknesses were well
-
known at the time the
worms hit, but a major reason they were able to spread so far and so fast was that many
people running IIS never appli
ed the patches that were made available. Although IIS
security has improved since 2001, there continue to be vulnerabilities found.

Apache is widely regarded to be a much more secure web server, and a Windows version
can be downloaded for free from
www.apache.org