Access to Corporate Gopher using Authenticated Web Proxy

The Web link to Corporate Data is authenticated and executes the following steps:

The first time access by the Web browser prompts for AFS User-ID and password.
HTTPD access routines have been modified to perform a remote procedure call to our AFS logon service, to authenticate username and password against our AFS authentication server. If authentication is successful, the WWW to HP3000 proxy CGI executes.
A connection is opened and the HTTPD- CGI requests a ticket and passes AFS username to the HP Gopher server. The HP Gopher server performs a few security checks and responds with a ticket, connection closes.
The last step is that the WWW-CGI opens the standard gateway used by Telnet ticket server methods and requests a Corporate Gopher root menu using ticket.

FIGURE 1. Diagram of Authenticated Web Access to Corporate Data

FIGURE 2. Netscape Client selects "Corporate Data" for the first time

The reason for a two step proxy was to be upward compatible, secure and anonymous. We first coded a one step Web proxy but found that it was very dangerous because the username must be passed within the URL as a searchable this resulted in a BIG security hole. The WWW-CGI was implemented as a two step process: 1) get a ticket from the HP3000 2) submit ticket through the existing gateway to the HP3000 used by the Gopher Telnet ticket server already in place.

FIGURE 4. Netscape Client displays "Corporate Data Gopher Menu"

Notice that a random (one time) meaningless ticket value shows on the client URL, maintaining user privacy and security. This aspect is important when public clusters of machines are used. It would be unethical to tag data with personal identifiers over a unsecured network.

Eric.J.Schubert.1@nd.edu
University of Notre Dame