METU Library provides access to many domestic and international databases from within the campus and the possibility to conduct research. These
database resources are connected to the METU IP address block (220.127.116.11/16) and the users accessing the network from an in-campus computer have the
right to access these databases automatically. Most users demand to be able to use these research facilities from out of campus and this fact brings
along the problems of authorization of the users and password security.
When current technology is taken into account, what appears to be the best solution is the use of a web cache in order to endow users with access to
web pages that are restricted by a certain authorization mechanism. Squid Web Cache software, employed on many servers worldwide and successfully used
for many years for in-campus connections at METU, has been chosen for this purpose.
Web caching is storing a required internet object (data that can be reached on protocols like HTTP, FTP, Gopher) on a server on the local area network
and meeting the demand from the local server when there is one from the same or a different user. For browsers using the same web cache server, the
time for access, on the average, will drop and there will be economization on the bandwidth. To make use of the web caching service it should be
defined to the browser. The in-campus web caching service of METU is being used since 1999. Via this service, users can get fast access to frequently
used web pages by defining the necessary settings file to their computer.
The system to be developed for off-campus users to access the library resources should meet some necessary standards. These must be kept in mind
during the design of the system. These necessities can be summed up as:
- There ought to be an authorization mechanism for both the students and the staff of METU.
- The user codes and the passwords that the clients are going to use must be secure.
- It should be supported by all the browsers.
- It should be user friendly on the client side.
- The provided service should have ease of installation and administration.
- It should have provision to enable the users to access from a single computer simultaneously.
- Users should have access to authorized web pages only.
- It should have IP and user code blocking for misuse.
- It must have a structure to prevent sharing of user codes and passwords with others.
- Error message sheets should be clear cut enough.
- Number of maximum connections the users can make should be limited.
- The server to be used must be secure enough.
- The operation and the settings of the server should be documented.
When all the needs assed above are considered, the components of the system to be developed and designed turns out to be:
Figure 1. Service Components
The General Structure of the System
The task that the web caching program , Squid, performs is to receive the web page request directed to itself by the user and to send it across on the
user's behalf and then to pass the returned result to the client. On the client side a settings file (proxy.pac) is used to determine which web pages
will be accessed by using the squid web caching service. Users who have defined this to their browsers are directed to the squid server when they want
to access the web pages determined on this settings file. In the next step due to the settings made at the squid server, the user will be required to
provide a user code and a password. Since the user code and the password the user provides will be transmitted as clear text, this raises a security
risk. To minimize the risk, the user must be given a "Single Use Password" in order to make the connection, instead of using the user code/password
dual given for mail accounts an other METU specific services. With the system installed in METU, it is required of the users to access an https
protocol web page by supplying the central system user code and password. After clarifying the authorization at this point, by means of a process the
user is given a password consisting of randomly selected letters and numbers. Having obtained this password, the user can enter this user code and
password in the fields to access a database using the web caching service.
Figure 2. Web Caching Path Flow
Single use passwords and authority clarification can be classified under two main headings. The first is the settings the user must adjust in the
computer, and the second is the settings of the squid server and the generation of the single use password and its registration on the database. The
only setting to be done on the user computer is the web caching setting. Even though there are three basic ways of setting this (auto find, use a
settings file, manual setting), we recommend the use of a settings file. It will suffice for our users to enter the web caching settings window of
their browsers and enter http://www.metu.edu.tr/proxy.pac for the settings file. The browser in use will make use of the squid
server for authorized
web pages checking the info on the assigned settings file or the routine server for other regular Internet web pages. For the process under the second
heading, the user is requested to access the address http://netregister.cc.metu.edu.tr via the service provider. This address directs the request to
https://webauth.metu.edu.tr address, where the user is asked to provide the central user code and password.
The provided info is checked against the
registered info in the LDAP server and depending on the reaction, the user is supplied with the web page or an error message pane. On the authorized
screen there is a button to click on which will provide a single use password. Clicking on that button the user obtains the single use password. This
password is also registered on a database server with the user code. These records are regularly checked and those over two hours are deleted. When
accessing the related web pages via the squid server, the users enter the previously obtained single use password and their user code. These are
checked by the squid server against the database. If the provided info and the info on the database match, the access of the user is confirmed and the
web addresses entered on the browser are provided from the squid server. After the duration of two hours, the user code and the single use password
are deleted from the data base and the user browser starts asking for a password again.
Figure 3. The Functioning of the System in General
In the coming issue Squid settings and single use password steps will be provided.
Presented on Akademik Bilişim 2007.
Ferdi Ayaydın - Gökhan Eryol