Transcript The access control system

The digital library
• The access control system
 What it does …
 How it works ...
 Known Problems
•The User authentification subsystem
•Future plans
 Interfaces to Oracle, SAP- R/3
 LDAP
 . . .
Hussayn Dabbous
01.04.2016
Some Definitions ...
Aman (Access Manager):
• knows, where the local CON is running
• can transport order requests to the Billing System
ZUS (Access System):
• Handles queries to multiple search DB‘s
• Creates the usergroup dependent
search-entry-pages
CGI (Plugin Module):
• Is the Portal into the Digibib
• Distributes incoming requests
to the appropriate CON
CON (Access Control System):
• handles the access to the digital library
• Denies unauthorized accesses
• Finds out, which items have to be payed
• ...
DBServer (User Database):
• Provides the User account
• Stores user specific profiles
BILL (Billing System):
• Handles all issued orders
• Creates bills
• Stores/archives Billing data
01.04.2016
The access control system
What the System should do :
What it does …
• On/Off-Campus access
• IP-Checker for Anonymous Login
• User accounting
• User groups
• Access via Smartcard
• Session Control
• Secure comunication (SSL)
• Order Control
01.04.2016
How it works
The access control system
CGI
Where is the Con ?
request
Aman
request
order
Con(2)
Con(1)
Order info
User ok ?
DBServer
query
query
Zus
01.04.2016
How it works
The access control system
WWW-Server
CON
Access-Manager (AMan)
WWW-Server
CON
ZUS
Cologne
AMan
ZUS
Cologne
Bielefeld
Bill
Order Data
The proposed
Configuration of
The Digital Library NRW
01.04.2016
How it works
The access control system
WWW
CON
WWW
WWW
AMan
AMan
WWW
ZUS
HBZ
Essen
CON
Dortmund
AMan
WWW
ZUS
CON
AMan
Bielefeld
Bonn
AMan
AMan
Bill
Bill
Order Data
Order Data
HBZ
Bielefeld
A more
Complex
configuration
example
01.04.2016
The access control system
How it works
And what about the configuration ?
Kon.ipAddress
Zus.ipAddress
Aman.ipAddress
= ariadne.hbz-nrw.de
= kirke.hbz-nrw.de
= $(Kon.ipAddress)
Zus.port
Aman.port
Aman.encryption.port
Aman.Kon.ports
=
=
=
=
Cgi.addr
Cgi.base
Kon
Zus
Aman
Cgi
Bill
9302
12345
12346
9898,9897
= https://kirke.hbz-nrw.de:444/$(Cgi.base)
= Digibib
Access Control System
Access System
Access Manager
WWW-Server-Plugin
Billing System
01.04.2016
The access control system
How it works
Why is configuration complex ?
We need to provide:
• Usergroups
• views on services
• Services
• group specific service properties
• service properties specific billing composits
• pricing models
• vendors
• ...
01.04.2016
The access control system
How it works
How we deal with the complexity ?
Usergroup.Student.name
= "Student Uni-Bielefeld"
Usergroup.Student.viewlist = Central, Local
config
resources
Bielefeld
Essen
Koeln
Hagen
Views.rc
Properties.rc
Usergroups.rc
Vendors.rc
Systems.rc
...
The Whole World
is a matter of
Configuration
Configuration files may be
distributed ...
01.04.2016
How it works
The access control system
Distributed configuration
CON
AMan
Config
Koeln
Advantages:
• local administration possible
• no replication necessary
AMan
Config
Bielefeld
AMan
AMan
Config
Config
Essen
Bonn
01.04.2016
The access control system
How it works
And beyond the limits ...
• Easy integration of external services
• Complex pricing models
• Sophisticated template mechanism for html-resources
• Multiple languages supported
• English and German resource files provided in distribution
• new languages may be added on the fly ...
• Multi language support everywhere:
• Administratior logfiles
• User login
• Admin management tool
• User administration
• Error messages
01.04.2016
How it works
The user authentification subsystem
User-db
Bielefeld
User-db
Essen
User-db
Dortmund
User-db
Cologne
User-db
Münster
Essential tasks :
Central Library access System
• Find user in local database
• Get user environment
• Start controlled user session
• Deny access for unknown user
• allow specific user groups
• allow guest access with restricted privileges
01.04.2016
The user authentification subsystem
How it works
Current implementation:
• file based database
• no complex (expensive) database needed
• one ASCII-File per user
• very quick access to the data
• user db server for distributed access fully integrated
• Tool for mass import of existing user databases
• prepared for LDAP (easy migration)
01.04.2016
The access control system
How it works
Problems with the current Web-Technology
detecting successfull
delivery
of online requests
The IP-Masquerading problem
(Network Adress Translation, NAT)
Delivery of fragmented documents
(e.g. html-documents)
partially unencrypted data transfer
01.04.2016
Future plans
How it works
• Future plans
 Interfaces to Oracle, SAP- R/3, . . .
 LDAP
 load distribution
 Port to linux
 Apache support
 stand alone con-http
 graphical administration tool
 refined user permission concept
 standalone search engine (http)
 graphical presentation of query results
...
01.04.2016
The digital library
•The User authentification subsystem
• The access control system
 What it does …
 How it works ...
 Known Problems
•Future plans
 Interfaces to Oracle, SAP- R/3
 LDAP
...
[email protected]
AXION GmbH
Goltsteinstraße 89
50968 Köln
Tel.: 0221/94 36 98-0, Fax -11
Hussayn Dabbous
01.04.2016