Web Security Solutions: Implementing a Web Security Module to Support Secure, Authenticated Applications

Abstract

This paper discusses authentication at the University of Pennsylvania. The PennNet Authentication System was used to authenticate access to modem pools and network resources. An increasing number of campus Web developers requested to integrate this campus-wide username/password combination into their applications and avoid the need to maintain separate username/password pairs. To ensure that these usernames and passwords cannot be detected as they travel across the Internet, a system was developed to provide secure, encrypted access to this namespace. Penn developed a generic module based on a three-tier architecture, deployed a dedicated, secure server, and is migrating authenticated applications to this new facility. The goal was to enable providers to flexibly use the campus-wide authentication system in their Web applications, while maintaining control of how the authentication system is secured and administered. This paper describes the three-tier architecture and the application flow of this model. Current applications that use this security model are listed.