LAS: light (but insecure) access control

[Andrew Woolf <awo@xxxxxxxxxxxxxxxxxxxx>]

There is an FAQ on access control which suggests setting up a duplicate
server protected using the webserver, and directing users to
the restricted server for access to controlled datasets.


I'd like to describe an alternative customisation I've implemented to
achieve this. It is, however, insecure as the password is sent unencrypted
across the network.

The customisation allows protection of individual datasets
and operation types (eg to protect only data downloads).

The basic idea is to tag datasets as 'secure' in the XML, and to use a
custom UI to obtain a password. There are four steps involved:



1) Insert the following in the XML for the datasets
you wish to protect:

   <properties>
    ...
    <custom>
     ...
     <secure/>
     <url>passwd.html</url>
    </custom>
   </properties>




2) Insert the following in server/custom/custom.pl to actually
perform the password check:


package LAS::Server::Ferret;
use File::Basename;

# Password verification...
sub passwd_verify {
  my ($username,$password) = @_;
  my $valid_passwords = {
   username1 => password1,      # Your own username/passwords here!
   username2 => password2,
  };
  return (length $username && $password eq $valid_passwords->{$username});
}


sub preExecuteHook {
    my $self = shift;

    ...

    my $var = $self->{vars}->[0];
    my $req = $self->{req};
    my $op = $req->getOp->getName;
    my $custom_props = LAS::mergeProperties(
     scalar $var->getDataset->getProperties('custom'),
     scalar $var->getProperties('custom') );
    my %customRequest = %{(@{$self->{customRequest}})[0]};
   # NB: to protect all operations, use the following line:
#    if (exists $custom_props->{secure}) {
   # To protect only data downloads, use the following line:
    if (exists $custom_props->{secure} && $op eq "data") {
      if (!passwd_verify($customRequest{'las_user'},$customRequest{'las_pass'})) {
        die "This is a secure dataset, and no valid password has been supplied"
      }
    }

    ...

}



3) Create a form in ui/passwd.html to prompt for password:

<html>
<head></head>
<body>

...

<form name="passwd_form">
 Username: <input type="text" name="las_user"> <br>
 Password: <input type="password" name="las_pass"> <br>
 <a href="javascript:top.submitCustom('passwd_form')">
<img src="but_Get_Data_small.gif" alt="Get data" border="0"></a>
</form>

...

</body>
</html>



4) If you only want to restrict access to (say) data downloads, then
you only want to prompt for password on 'data' operations. To achieve
this, put 'js="AddSecureURL"' in the XML tag for the dataset, and stick
the following in ui/custom/custom.js:

//------------------------------------------------------
// Code for adding custom URL for secure dataset
//------------------------------------------------------
function AddSecureURL(index,dataset,url,name,institution,customURL)
{
  this.base = V;
  this.secureURL = customURL;
  this.base(index,dataset,url,name,institution);
}

setInherit("AddSecureURL","V");

AddSecureURL.prototype.getOpType =
function(output,view)
{
  var type = Operations[output][1];
  if (type == "data") {
    this.mCustomURL = this.secureURL;
  }
  else {
    this.mCustomURL = "";
  }
  return type;
}
//------------------------------------------------------



There is one small detail remaining - in serializing the
custom form into cookies, a 'password' form input is not
recognised in las.js. Thus you need to insert the following
'case' into the routines serializeForm() and deserializeForm()
in both ui/las.js and ui/custom.tmpl:

      case "password":
        break;


That's it!!

Any comments most welcome.

Regards,
 - Andrew



-- 
-----------------------------------------------------
Andrew Woolf  (awo@mail.nerc-essc.ac.uk)
Environmental Systems Science Centre (ESSC)
Reading University
3 Earley Gate
Whiteknights
Reading RG6 6AL
UNITED KINGDOM
Phone: +44 (0)118 931 8741   Fax: +44 (0)118 931 6413
-----------------------------------------------------