Jeremy Smith's blog

Entry Is Labelled

require valid-user Considered Harmful at Case

If you run a web server (or similar device) that has protected realms meant to be restricted to Case persons, and the only authorization component you have on it is require valid-user (or similar), you should change it.

In the near future, it is going to be increasingly likely that more and more persons with only a passing association with the University will be able to login i.e. they will have Case credentials and they may not be a Case employee, student, or alum. People who are using authorization that is in the style of require valid-user and are expecting their service to only be available to Case users are going to have an unwelcome surprise when someone else authenticates and gets in. (At which point, they will undoubtable blame ITS for the security hole and an op-ed will appear in the Observer about how we are not security conscious.)

The best way to handle authentication in your web app is to use CAS. The best way to handle authorization in your web app is (for Apache, at least) to use mod_auth_ldap. In the scenario where you want active Case users to be able to access your protected realm, you don't do a require valid-user; rather, you:

require group students
require group employees

I'm not sure what the best way to disseminate this message about "require valid-user considered harmful." A post to ITS homepage, maybe? Have someone bring it up at the next CTO's meeting? Probably the latter. But the information needs to get out there before someone running a service has something unexpected happen.

Comments