[OAI-implementers] oai security

Thomas G. Habing thabing@uiuc.edu
Tue, 15 Jan 2002 09:36:33 -0600


For our original OAI prototype, last January, we implemented both IP address
and username/password restrictions for our data provider implementation. 
Our implementation used Microsoft IIS Active Server Pages and VBScript.  If
it would be helpful, I could probably dig up some relevant code snippets to

In that implementation, if a user had the correct name/password or were
coming from an approved IP address they were allowed unfettered access to
the complete, full records.  Otherwise, they were restricted to
'dumbed-down' versions of the same records, such as being limited to
harvesting only title, creator, date, and identifier elements.

Thomas G. Habing
Research Programmer, Digital Library Projects
University of Illinois at Urbana-Champaign
155 Grainger Engineering Library Information Center, MC-274
thabing@uiuc.edu, (217) 244-4425

Josie Imlay wrote:
> I am working on an oai server right now and the people that own the information don't want it getting in to just anyone and everyone's hands. I satisfied this using some simple http protocol level authentication. What I am woundering is if people writing harvesters out there are implementing username/password support at all.
> Thanks,
> Josie Imlay
> _______________________________________________
> OAI-implementers mailing list
> OAI-implementers@oaisrv.nsdl.cornell.edu
> http://oaisrv.nsdl.cornell.edu/mailman/listinfo/oai-implementers