8th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing

Research Article

A Simple Collaborative Method in Web Proxy Access Control for Supporting Complex Authentication Mechanisms

Download323 downloads
  • @INPROCEEDINGS{10.4108/icst.collaboratecom.2012.250446,
        author={Shingo Takada and Akira Sato and Yasushi Shinjo and Hisashi Nakai and Koichi Sakurai and Kozo Itano},
        title={A Simple Collaborative Method in Web Proxy Access Control for Supporting Complex Authentication Mechanisms},
        proceedings={8th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing},
        publisher={IEEE},
        proceedings_a={COLLABORATECOM},
        year={2012},
        month={12},
        keywords={web proxy servers access control user authentication shibboleth oauth},
        doi={10.4108/icst.collaboratecom.2012.250446}
    }
    
  • Shingo Takada
    Akira Sato
    Yasushi Shinjo
    Hisashi Nakai
    Koichi Sakurai
    Kozo Itano
    Year: 2012
    A Simple Collaborative Method in Web Proxy Access Control for Supporting Complex Authentication Mechanisms
    COLLABORATECOM
    ICST
    DOI: 10.4108/icst.collaboratecom.2012.250446
Shingo Takada1,*, Akira Sato1, Yasushi Shinjo1, Hisashi Nakai1, Koichi Sakurai1, Kozo Itano1
  • 1: University of Tsukuba
*Contact email: takada@softlab.cs.tsukuba.ac.jp

Abstract

Modern authentication mechanisms, including Shibboleth and OAuth, provide user attributes such as affiliations and e-mail addresses. Conventional collaborative methods have problems using such attributes in egress access control for the Web. This paper proposes a new collaborative method using Web browsers, proxy servers, and authentication servers. The proposed method simplifies communications among these elements by using a trusted shared repository that stores user attributes. A new authentication mechanism can be added to the system by deploying an authentication server of the new authentication mechanism. This authentication server is a Web application and stores user attributes in a shared repository associated with the user identifiers. When proxy servers receive requests from Web browsers, the proxy servers retrieve user attributes from the shared repository and the proxy servers decide whether or not to allow access to external Web pages in accordance with the URLs and relevant user attributes. Unlike in a standard such as the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), neither Web browsers nor proxy servers are required to include extensions for authentication mechanisms. On the basis of the simple collaborative method, the authors have implemented an egress access control system for the Web that performs user authentication with Shibboleth and Facebook. The access control system has been operational in a university library for more than a year.