A simple collaborative method in Web proxy access control for supporting complex authentication mechanisms

Modern authentication mechanisms, including Shibboleth and OAuth, provide user attributes such as affiliations and e-mail addresses. Conventional collaborative methods have problems using such attributes in egress access control for the Web. This paper proposes a new collaborative method using Web browsers, proxy servers, and authentication servers. The proposed method simplifies communications among these elements by using a trusted shared repository that stores user attributes. A new authentication mechanism can be added to the system by deploying an authentication server of the new authentication mechanism. This authentication server is a Web application and stores user attributes in a shared repository associated with the user identifiers. When proxy servers receive requests from Web browsers, the proxy servers retrieve user attributes from the shared repository and the proxy servers decide whether or not to allow access to external Web pages in accordance with the URLs and relevant user attributes. Unlike in a standard such as the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), neither Web browsers nor proxy servers are required to include extensions for authentication mechanisms. On the basis of the simple collaborative method, the authors have implemented an egress access control system for the Web that performs user authentication with Shibboleth and Facebook. The access control system has been operational in a university library for more than a year.