Skip to page content

Worldwide (English) Change

CGI Authentication

To provide your own script for authenticating users in real-time, follow these steps:

  1. Edit your user.txt/ezproxy.usr file and add a line like:
    someuser:somepass:cgi=http://auth.mylib.org/cgi-bin/myscript.cgi?

    This line indicates that when a user needs to be authenticated, EZproxy should redirect the user to a script that is available at http://auth.mylib.org/cgi-bin/myscript.cgi and that EZproxy should automatically tack on "url=" followed by the URL the user was trying to reach. The trailing ? is required since EZproxy appends directly on to the end of the provided web address.

  2. The script now authenticates the user in any manner you choose. Samples scripts are provided later for implementing authentication based on existing authentication provided by other web servers, by verifying the provided username and password against an existing FTP server, and by verifying the provided username and password against POP or IMAP mail servers.
  3. Assuming that this script authenticates the user, the script then connects back to the EZproxy server and sends the username "someuser" with the password "somepass" to request that EZproxy create a new session for the newly authenticated user. The script passes this information back to the user, then the user is able to continue on to the database.

    Note: When using CGI authentication, the EZproxy server never handles any of your user authentication information directly. For "cgi=", you can specify an https URL instead if you want to keep your user authentication information totally encrypted.

Data flow

The exact data flow used in performing CGI authentication is documented on a separate web page at CGI Authentication Data Flow

Reference scripts

The reference scripts for implementing CGI authentication are written in Perl. You can download the entire set in a UNIX tar archive or you can browse them individually.

Although the reference scripts are written in Perl, any CGI environment that can open a socket connection back to the EZproxy server should be able to implement a CGI authentication script. If you need assistance or if you have a success you would like to share, please send e-mail to ezproxy@oclc.org.

Groups

To implements EZproxy groups with CGI authentication, you must be running EZproxy 2.4b GA (2004-02-15) or later, and perform the following additional steps.

  1. In user.txt/ezproxy.usr, you indicate all groups that the CGI script can specify by including them on a line just before your CGI redirection. For example:
    ::group=General+Medical+Legal
    someuser:somepass:cgi=http://auth.mylib.org/cgi-bin/myscript.cgi?
  2. In your CGI script, you must look for the CGI variable logup. If this variable is present, it indicates that the user tried to access an unauthorized resource. The value of the variable is the EZproxy session identifier. Your script should either indicate that the resource is unavailable, or your script can provide some form of advanced processing depending on your specific needs.
  3. When your CGI script determines that a user is valid and connects to EZproxy to request the new session, it should include a group variable to indicate which group or groups should be available to the user. For example,
    http://ezproxy.yourlib.org:2048/login?user=cgiuser&pass=cgipass&group=General%2bMedical&url=http://www.somedb.com/
    In this example, the %2b between General and Medical is a plus sign (+) that has been URL encoded.

With these changes, your CGI script is free to associate the user to groups as needed.