Re: light (but insecure) access control

[shen yingshuo <yshen@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>]

here an even lighter access control.

 because las does not take much of disk space.. so we here at iprc install
several las(s).  some of them are restricted (access allowed by selected ip
address).  this kind access control is very easy to implement.  here what we
do on LASserver.pl

#!/usr/local/bin/perl
# $Id: LASserver.pl.in,v 1.16 2001/01/12 23:39:20 sirott Exp $
#
# Server code for the Live Access Server (LAS)
#
# Original LAS designed by Steve Hankin and Jerry Davison
# Perl version originally designed by Jon Callahan
# XML based redesign, rewrite of Perl version J Sirott
#
# $Id: LASserver.pl.in,v 1.16 2001/01/12 23:39:20 sirott Exp $
$remote_add = $ENV{'REMOTE_ADDR'};
@subnet_num = split(/\./, $remote_add);
$daiye=($subnet_num[0]==128)&&($subnet_num[1]==171)&&($subnet_num[2]==156)&&
($subnet_num[3]==76);
$howzit=($subnet_num[0]==128)&&($subnet_num[1]==171)&&($subnet_num[2]==156)&
&($subnet_num[3]==141);
if (!($daiye||$howzit))  # only allow daiye and howzit two machine to
access.  you can expand if you let whole subnet to use
 {
print "Location: http://youweb/notallowedtoaccess.html";,
"\n\n"; } else {
use English;
use strict;
.......

......

# End of main program
}    #add here to complete if else


----- Original Message -----
From: "Andrew Woolf" <awo@mail.nerc-essc.ac.uk>
To: <las_users@ferret.wrc.noaa.gov>
Sent: Friday, December 14, 2001 1:47 AM
Subject: LAS: light (but insecure) access control


>
> There is an FAQ on access control which suggests setting up a duplicate
> server protected using the webserver, and directing users to
> the restricted server for access to controlled datasets.
>
>
> I'd like to describe an alternative customisation I've implemented to
> achieve this. It is, however, insecure as the password is sent unencrypted
> across the network.
>
> The customisation allows protection of individual datasets
> and operation types (eg to protect only data downloads).
>
> The basic idea is to tag datasets as 'secure' in the XML, and to use a
> custom UI to obtain a password. There are four steps involved:
>
>
>
> 1) Insert the following in the XML for the datasets
> you wish to protect:
>
>    <properties>
>     ...
>     <custom>
>      ...
>      <secure/>
>      <url>passwd.html</url>
>     </custom>
>    </properties>
>
>
>
>
> 2) Insert the following in server/custom/custom.pl to actually
> perform the password check:
>
>
> package LAS::Server::Ferret;
> use File::Basename;
>
> # Password verification...
> sub passwd_verify {
>   my ($username,$password) = @_;
>   my $valid_passwords = {
>    username1 => password1,      # Your own username/passwords here!
>    username2 => password2,
>   };
>   return (length $username && $password eq $valid_passwords->{$username});
> }
>
>
> sub preExecuteHook {
>     my $self = shift;
>
>     ...
>
>     my $var = $self->{vars}->[0];
>     my $req = $self->{req};
>     my $op = $req->getOp->getName;
>     my $custom_props = LAS::mergeProperties(
>      scalar $var->getDataset->getProperties('custom'),
>      scalar $var->getProperties('custom') );
>     my %customRequest = %{(@{$self->{customRequest}})[0]};
>    # NB: to protect all operations, use the following line:
> #    if (exists $custom_props->{secure}) {
>    # To protect only data downloads, use the following line:
>     if (exists $custom_props->{secure} && $op eq "data") {
>       if
(!passwd_verify($customRequest{'las_user'},$customRequest{'las_pass'})) {
>         die "This is a secure dataset, and no valid password has been
supplied"
>       }
>     }
>
>     ...
>
> }
>
>
>
> 3) Create a form in ui/passwd.html to prompt for password:
>
> <html>
> <head></head>
> <body>
>
> ...
>
> <form name="passwd_form">
>  Username: <input type="text" name="las_user"> <br>
>  Password: <input type="password" name="las_pass"> <br>
>  <a href="javascript:top.submitCustom('passwd_form')">
> <img src="but_Get_Data_small.gif" alt="Get data" border="0"></a>
> </form>
>
> ...
>
> </body>
> </html>
>
>
>
> 4) If you only want to restrict access to (say) data downloads, then
> you only want to prompt for password on 'data' operations. To achieve
> this, put 'js="AddSecureURL"' in the XML tag for the dataset, and stick
> the following in ui/custom/custom.js:
>
> //------------------------------------------------------
> // Code for adding custom URL for secure dataset
> //------------------------------------------------------
> function AddSecureURL(index,dataset,url,name,institution,customURL)
> {
>   this.base = V;
>   this.secureURL = customURL;
>   this.base(index,dataset,url,name,institution);
> }
>
> setInherit("AddSecureURL","V");
>
> AddSecureURL.prototype.getOpType =
> function(output,view)
> {
>   var type = Operations[output][1];
>   if (type == "data") {
>     this.mCustomURL = this.secureURL;
>   }
>   else {
>     this.mCustomURL = "";
>   }
>   return type;
> }
> //------------------------------------------------------
>
>
>
> There is one small detail remaining - in serializing the
> custom form into cookies, a 'password' form input is not
> recognised in las.js. Thus you need to insert the following
> 'case' into the routines serializeForm() and deserializeForm()
> in both ui/las.js and ui/custom.tmpl:
>
>       case "password":
>         break;
>
>
> That's it!!
>
> Any comments most welcome.
>
> Regards,
>  - Andrew
>
>
>
> --
> -----------------------------------------------------
> Andrew Woolf  (awo@mail.nerc-essc.ac.uk)
> Environmental Systems Science Centre (ESSC)
> Reading University
> 3 Earley Gate
> Whiteknights
> Reading RG6 6AL
> UNITED KINGDOM
> Phone: +44 (0)118 931 8741   Fax: +44 (0)118 931 6413
> -----------------------------------------------------
>