TechRepublic's subscription product, TechProGuild (TPG), provides in-depth articles about real-world problems and solutions for folks in the tech trenches. To meet readers' high demands for information and increase the value of its monthly subscription, TPG added Tech Books, an online library of more than 250 books hosted by Books24x7, a provider of Web-based digital technical and business reference content.
With the books hosted on a third-party's servers, TPG subscribers would have to log in at each site every time they accessed TPG or Tech Books. TPG needed a one-time login procedure that would allow users to switch back and forth from TPG content to Tech Books without having to log in over and over. As a consultant, you may find that this type of authentication problem crops up more often as more businesses employ Web services.
We interviewed three members of the TechRepublic team to find out how they solved this quandary: Erik Eckel, TPG's editor in chief; Doug Lane, director of software engineering; and software engineer Kevin Cobb.
TechRepublic wanted to offer an easy way for members to browse the Tech Books content, while providing Books24x7 with the authentication information it needed to verify that only paid subscribers or trial members were accessing the books.
TechRepublic's developers were challenged with creating a seamless interface that allowed members to log in just once, no matter how many times they switched back and forth from TPG content to Tech Books. Cobb said they had to consider two scenarios:
- Users who click on the Tech Books link from inside TPG, when TechRepublic knows who the users are
- Users who enter Books24x7 without going through TPG, when TechRepublic does not know who the users are
The developers first looked at Profile IDs (PIDs). TechRepublic and TPG members are regularly authenticated through PIDs that are assigned to users when they register on the site. However, because TechRepublic’s PIDs aren’t shared with the general public, the team couldn't authenticate users by using the PID as a query parameter.
Instead, they set up a temporary unique ID, or Authentication ID (AID). The AID is held in a database table and is mapped to the user’s PID. The AID expires in one hour, so it can be safely passed to Books24x7 through a URL similar to this: http://www.thirdpartysite.com?AID=xxxxxxx.
The first scenario
When users click on the Tech Books link from the TPG product, they are taken to the Books24x7 Web site. The link to this site has in its query string the AID parameter (<http://www.thirdpartysite.com?AID=xxxxxxx>).
Books24x7 uses this "temporary" parameter to ping the TechRepublic side for information about the user via a Simple Object Access Protocol (SOAP) request that has the AID embedded in the SOAP XML.
TechRepublic responds via SOAP with the access level of users and their PID. The PID allows Books24x7 to reauthenticate users if their session expires. Users may have one of three access levels:
- No access: When users aren't paying or trial members of TPG or their AID has expired or is invalid, they are not allowed into the Books24x7 site.
- Preview access: When users are trial TPG members, portions of the reference text are unavailable.
- Full access: When users are paid subscribers and valid TPG members, all reference text is available and searchable.
The second scenario
If users go directly to the Books24x7 site, it has no AID to include in the SOAP, or authentication, request. In this case, users are redirected to a page on the TechRepublic site where they are prompted to log in. If users have auto-login turned on in the My Account section of the TechRepublic site, they are automatically logged in, making the authentication piece seamless.
Once that process is complete, users are redirected to the page within Tech Books where they initially requested entry, this time with an AID in the URL as a query parameter. Then the authentication process can proceed as before, with Books24x7 requesting the authentication level of the user using the AID as the unique key. The solution is outlined in Figure A.
"The two development staffs were able to implement a solution that provides all the features of Books24x7 that's integrated into the TPG look and feel, adding value for TechProGuild members," Eckel said.
Why use a third-party site?
TechRepublic originally tried hosting its own Tech Books library in February 2001, but it immediately became apparent that providing a full-text library wasn't a practical option. The first library housed the content of only 38 books. Hosting the books meant that TechRepublic had to have contracts with each publisher and had to be responsible for keeping the information out of unauthorized hands. To compound the headache, it was difficult to update the library with the latest information.
With the original library, users didn't have the My Bookshelf feature, which now allows them to save favorite titles for easy reference. Also, the original search feature was cumbersome, offering little value to the readers. "Because of the way we put it together and the constraints we were faced with, we weren't able to offer the search functionality of searching within a book, or searching the entire Tech Books collection," Eckel said.
Because the primary function of Books24x7 is providing Web-based digital technical and business reference content, the company had already established the security to protect the publisher's content. By offering members the Tech Books library, TechRepublic can provide access to up-to-date information without having to host it.
TechRepublic had used a similar authentication procedure when working with its now-closed subsidiary ITRadar, Lane said. "Actually, they were the ones that implemented the authentication service, and we were the client in that instance."
Because the method was already proven, Lane said he felt it was a secure option for the Books24x7 project. "Since the temporary ID is visible on the URL, if someone was monitoring communication between our site and Books24x7, they would see that temporary ID, but they couldn't use it for very long to get access."
Because the solution had been used before, it was also inexpensive to implement. For example, TechRepublic already had Java code written to handle the incoming SOAP request, and Books24x7 was able to use the existing SOAP API for the work on its side. As a result, the project took only about six weeks to go from the design stage to development and testing. Most of that time was spent in discussion with Books24x7, Lane said.
Keep it simple
Cobb said that it's often difficult for teams of developers from different organizations to work together because of limited time and accessibility. Many times, it's hard to get the attention of the other team's developers, or "worse than that, you are forced to deal with someone who is not a developer," Cobb said.
Another roadblock to success is creating a complex answer when a simpler solution is in order. Cobb said the key factor to the authentication solution's success is its minimalism.
"Obviously, this SOAP request-response process could do a lot more processing if we needed it to, but we don't," he said. "Once the user is authenticated on the third-party side, they can go along their merry way reading content, assuming they have the correct access level."
The easy access to the Books24x7 staff, coupled with a straightforward design solution, has helped TechRepublic and its members in two ways, Cobb said.
"One, things go wrong very rarely. Two, when they do go wrong, the problem has been pretty easy to track down."
We want to tell your story
We're looking for a minicase study highlighting specific problems and their technological solutions, especially those in the Web services arena. Send us an e-mail with an outline of your problem and solution. If we feature it in a TechRepublic article, we'll reward you with $50.