Ticket Authentication

Minimum version required

The options described in this document require EZproxy 3.0f GA (2004-10-26) or later.

Overview

Ticket authentication allows remote systems to short-lived URLs that EZproxy will automatically recognize as being authorized to login and permit access to a resource with no need for EZproxy to check back with the program that creates the URL. A sample URL looks like this:

http://ezproxy.yourlib.org:2048/login?user=rdoe&ticket=a6911a5d0219f428b33e190a80818625%24c20041222220203%24e&url=http://www.somedb.com/

The ticket parameter on the URL contains a digital signature that EZproxy uses to verify that the URL was created by an authorized program. The ticket contains a time-stamp of when it was created. EZproxy can be configured to determine how old a ticket can be before it is considered expired.

Ticket directives foruser.txt/ezproxy.usr

A sample entry in user.txt/ezproxy.usr is:

::Ticket
TimeValid 10
MD5 somekey
Expired; Deny expired.html
/Ticket

TimeValid must appear before MD5 or SHA1 and indicates the number of minutes a ticket should be considered valid.

MD5 or SHA1 indicate that the MD5 or SHA1 algorithms should be used to check the digital signature. Either must be followed by a string that is also used in the program that generates the ticket.

Expired is true if the ticket has expired. The use of a semi-colon in this example links the expired state of the ticket to the Deny action which tells EZproxy what file to present to the user if their ticket is expired. If the expired case is not handled, EZproxy ignores the ticket and proceeds on to the next part of user.txt/ezproxy.usr.

Timezone issue with EZproxy 3.2b

EZproxy 3.2b has an issue with handling daylight savings time for the ASP and Cold Fusion examples. If you use one of these methods, you must add a TimeOffset statement before the MD5 line, such as this:

::Ticket
TimeValid 10
TimeOffset -60
MD5 somekey
Expired; Deny expired.html
/Ticket

or else your tickets will be expired. When daylight savings time ends, you must remove this statement. This issue is corrected in EZproxy 3.4.

Groups

If you want to include groups as part of your tickets, you must tell EZproxy which groups are allowed to appear in tickets with the AcceptGroup directive. Sample usage is:

::Ticket
AcceptGroups General+Medical+Legal
TimeValid 10
MD5 somekey
Expired; Deny expired.html
/Ticket

In this example, a ticket can include any combination of the three groups specified, but any attempt to place the user in any other groups would be ignored.

Ticket generating code

Sample code for generating tickets is available for ASP, Cold Fusion, JSP, Perl, and PHP. You may need to use your browser's "View Source" command to view the code behind these examples.

For assistance in adapting this sample code for use in your application or for creating similar code for other web scripting environments, contact support@oclc.org.