Computing Services runs a WebISO (web initial sign-on) server that allows andrew users to authenticate once per session to a trusted andrew server and then access many campus resources without re-authenticating. Services such as Blackboard, OLR, and My Andrew use this. The contributed webserver can also use it. From July 2013 onward, the contributed webserver uses the Shibboleth ("Web Login") service rather than the old Pubcookie (called just "WebISO") service. For consistency, we will continue to call it WebISO authentication.
WebISO can be used on the contributed webserver to restrict access to specfied directories to authenticated users.
To restrict access to a directory (and all directories beneath it) to any CMU user, place a file called .htaccess in the directory containing the following lines:
In place of AuthType WebISO, you may also use AuthType shibboleth. This allows pages to be served securely via both the contributed webserver and the standard andrew web publishing mechanism (which requires it to be called "shibboleth").
To restrict access to a directory (and all directories beneath it) to a specific set of CMU users, use the following lines instead:
Note that prior to July 30, 2013, the "andrew.cmu.edu" had to be capitalized. Now it must not be capitalized. Sorry -- this is due to a computing services transition.
Multiple Require lines may be present to allow access to any one of the listed users. Prior to July 30, 2013, other realms such as CS.CMU.EDU were supported by andrew's WebISO server, but are no longer. If sufficient demand exists, we can investigate re-adding support ourselves.
If a CGI script is placed in a WebISO-protected directory, special environment variables are set by the webserver indicating the authentication type and the identity of the user currently accessing the script.
Variable | Contents |
AUTH_TYPE | WebISO |
REMOTE_USER | [user]@andrew.cmu.edu |
The way these variables are accessed depends on the scripting language. In perl, for instance, AUTH_TYPE would be referred to as $ENV{'AUTH_TYPE'}
.Though you can restrict the serving of content via the contributed webserver to specific users, because all static content (directly served web pages) and CGI scripts must be world-readable in AFS, no real immediate security is present. Anyone who can access AFS can still retrieve the documents directly. Using WebISO simply restricts what is served via the web.
In some cases, web-only restriction might be enough for your purposes. However, using the authenticated AFS support option we provide, you may use a CGI script as a gateway to content that is in a protected directory.