Special Information for Web Developers
This area is designed to provide additional information for web providers and
web application developers who are responsible for designing, programming, or
implementing limited-access, web-based computer applications or web sites. Unlike
public web sites, limited-access web applications and web sites are for use only
by authorized users and require user authentication.
Critical Host Policy Information for Web Application Developers
The Critical Host Policy describes the requirements and constraints for attaching
and securing a critical computer to PennNet. One requirement is that passwords
cannot travel over Penn's network in clear text. The policy also provides "best
practice" recommendations to guide system administrators in further steps
to protect PennNet-connected systems. The purpose of the Critical Host Policy
is to ensure that all systems installed on PennNet are maintained at appropriate
levels of security while at the same time not impeding the ability of users
and support staff to perform their work.
Web application developers are encouraged to read
the complete policy.
Frequently Asked Questions about Securing Web Applications and Web Pages
How does the critical host policy apply to web developers?
In two ways:
- If your web application contains sensitive data or supports a critical
University-wide function, then you must comply with all requirements of
the Critical Host policy including the requirement that end users use strong
authentication for http connections (i.e. they no longer send unencrypted
passwords between their browsers and the web server). The simplest way to
comply with this requirement is to use SSL/TLS to encrypt all http traffic.
ISC has developed the Websec module so that web developers may easily create
PennKey-authenticated web applications. By using the Websec module, these
applications will only allow access if the user has successfully identified
him/herself by entering a correct PennKey and password combination. Further
information can be found by visiting the Securing
Web Pages section of the computing web.
- If content providers use FTP to transfer content to your web server, you
must provide them with a secure file transfer option that uses strong authentication.
Standard FTP uses weak authentication (i.e. unencrypted passwords.). Consult
the Supported Products web site to learn
about FTP clients that satisfy the critical host policy and are supported
by Penn. FTP clients can protect passwords via Kerberos, SCP and standard
FTP with SSH port forwarding.
Will Websec be discontinued?
Since Websec does not support GSSAPI Kerberos authentication, it is not part of Penns long-term authentication strategy
and is expected to be replaced with another authentication method. Web developers will be given at least 12 months notice
before a Websec replacement is implemented and Websec support is withdrawn.
What else do I need to control access to my web application besides
A: Websec only authenticates people. It doesnt tell you whether or not that person is authorized to use your application. Many
people not directly affiliated with the University have been assigned PennKeys, so you can not conclude that someone is affiliated with Penn
just because they have a PennKey and password.
After you have authenticated the user, the next step is for your application
to decide whether or not that person is authorized. Often, that decision can
be made based on biographic/demographic data available in the Penn
What is the difference between using PennKey for Websec
authentication and using it for Kerberos authentication?
Your PennKey has two functions and they are quite different.
- Your PennKey can be used for Kerberos authentication. This requires you
to authenticate only once a day, using a Kerberos ticket manager. For the
rest of that day, you will be able to use Kerberos Single Sign-on meaning
that you may connect to any Kerberized campus service without having to authenticate
- Your PennKey can also be used to authenticate to a variety of web-based
applications (two examples are U@Penn and BEN Reports). However, in this context you are not using Kerberos
authentication but another authentication protocol, called RADIUS. You will
need to enter your PennKey each time you use an application, regardless of whether
you authenticated to the same application earlier in your computing session.
There is not a good solution today to completely replace Websec with Kerberos. However, ISC is evaluating different technologies
and hopes in the near future to announce a Kerberos-compliant solution that will allow you to enter your PennKey and password once, obtain a Kerberos
ticket, and be able to authenticate to Penn web services.