Athens for NewsAgent?
This report gives a brief (very brief!) introduction to the NISS Athens
authentication system and discusses its applicability for the
NewsAgent system. It is based on a short discussion with Ed Zedlewski
from NISS and on the various materials available on the Web that describe the Athens system.
The NISS Athens system is based on the standard HTTP 'Simple' authentication
model where each each browser request for
a restricted document on the Web server will only be satisfied if the
browser can supply a correct username/password pair.
(For an introduction to user athentication using the Apache Web server
Web server requests for authentication from the browser
are marked as being within a particular 'realm'
so that the client can cache username/password pairs
and only prompt the user for them once per realm.
All Athens based services will operate within the same realm.
Normally each Web server maintains it's own set of username/password
pairs in a local file (typically similar to the standard UNIX
file). The Athens system provides a shared set of many thousands
of usernames and passwords
that are available over the network and that are maintained using
Sybase database system.
The Athens system can be simply integrated into both the Apache and
Netscape Web servers using 'off the shelf' server 'agents'.
Other configurations are
achievable using Athens specific libraries written in C++.
Athens user accounts
The NISS Athens system arranges user accounts in a hierarchical way.
For the purposes of this discussion we will consider two sorts
of Athens accounts,
Access accounts and Personal accounts.
Access accounts are similar to the type of accounts currently offered by
the BIDS service. They are typically site-wide or departmental accounts.
Management of access accounts can be devolved to site or departmental
contacts. If enabled, access accounts can be used to create personal
accounts, i.e. anyone knowing the username/password pair for an
access account can create their own personal account.
Access to resources using an access account is based on both the
correct username/password pair and on the client's IP address.
Personal accounts have in some sense
more priveledge that access accounts.
In particular, access to resources using personal accounts does not
depend on the access being made from a particular client IP
Once set up, personal accounts can be modified and deleted by the owner
of the account.
The resources to which access can be controlled using the Athens system can be both static
pages, normal HTML pages for example, and dynamically generated
pages using CGI scripts.
In both cases access rights are determined by
looking at Access Control Lists (ACLs)
maintained within the Athens system.
In the case of CGI scripts, various parameters about the authenticated user
are also passed to the
script so that it can determine what level of output to generate.
Athens can support 20 character usernames but the main UK HE data centres
will implement usernames with the format 'sssnnnnn', where:
All Athens usernames are mapped to lowercase.
is a fixed site code (alpha)
is the responsibility of the site (alpha-numeric).
The User Perspective
From the user's perspective there would be very little difference between a
NewsAgent system with authentication based on Athens and one with authentication
based on the current internal system.
The significant thing would be that instead of typing in a NewsAgent
specific username/password pair they would be typing in their
Athens username and password.
Indeed if they had already visited some other Athens based system in the current
browser session they would not be prompted for a username/password pair at all
(because all Athens based services operate within the same 'realm').
In order to gain access to the NewsAgent service they would first have to obtain
an Athens personal account - but they are likely to need to do that anyway to access
other UK HE services like BIDS.
They would create their own Athens personal account using their existing site-wide
or departmental access account.
Having got an Athens personal account they would then need to 'register'
with NewsAgent by telling
the system the name of the account they are going to use.
The Administrator Perspective
From the administrator point of view there is some effort required
to configure NewsAgent to use the Athens system.
Clearly the NewsAgent Web servers will need to be modified to use
the Athens system.
Without seeing the system for real it is hard to be sure but
I would expect this work to amount to little more than
recompiling the Apache Web servers used at UKOLN and LITC to build in the
We will have to set up ACLs within the Athens system but I would expect
this to be relatively trivial.
We require resticted access to all of the CGI generated NewsAgent
I suspect this will amount to one or two entries in the Athens ACL files per
Finally we will have to map Athens usernames onto the Oracle usernames
used internally within NewsAgent in some way.
Once set up, the CGI scripts that enable access to the various parts of
NewsAgent can pass the Athens username that was used to obtain access to the script
to the underlying calls into the Oracle database.
There two ways in which Oracle username (and passwords??? Do the
NewsAgent CGI scripts pass a username and password to Oracle or
just a username?) can be set up initially.
Either we modify the NewsAgent 'registration' pages to prompt the user
for an existing Athens username, or we configure the NewsAgent
CGI scripts to look for accesses by 'new' users (i.e. using Athens
usernames that we haven't seen before) and automatically send those
users the registration page.
The version of Athens described here (version ???) is still under development.
Initial deployment with some of the larger UK HE data services,
for example BIDS, is expected during September 1997.
Realistically we should not expect to be able to use Athens
until after January 1988.
Clearly this is outside the timescales for the initial
implementation of a NewsAgent service.
In the meantime, if we plan on ultimately basing the NewsAgent service
on Athens, we could suggest to users that they obtain an Athens personal
account for themselves anyway and then use that username and password
within the current NewsAgent system.
This will make the transition of NewsAgent to Athens in the future
relatively painless for the users.
These notes have considered the applicability of the NISS Athens
system to NewsAgent. I have only really considered Web access to the
Access using Z39.50 clients or the proprietary DALI client has not
This report does not currently consider the issue of how we handle NewsAgent users
who are outside of UK HE and who therefore will not have (or be able to have)
My guess is that using Athens as the underlying authentication system
within a Web based NewsAgent system would be relatively simple to achieve.
There would be some benefits in doing this - not least from the user's
perspective where they would use the same username/password for NewsAgent as
for BIDS and several other services.
Maintained by: Andy Powell
Last updated: 14-Jul-1997