Security and Visibility Enhancements for the PG System Team 5b

Introduction

Background

The Peer Grading (PG) System is a teaching tool developed at North Carolina State University intended to facilitate the peer grading of homework assignments. The automated facility allows for doubly blinded reviewing of student assignments by students enrolled in the same class. It is doubly blinded in the sense that reviewers do not know whose work they are reviewing and reviewees do not know who made the review. The practice of peer reviews has always been invaluable and widespread in many professions, most notably in academia. While peer reviewing is indispensible to the academic world it has traditionally not been a significant part of classroom instruction. By automating the mechanics of peer reviewing and utilizing the technology of the World Wide Web (which has become virtually ubiquitous in recent years) the PG System is intended peer reviewing easily available in a classroom setting

The PG System offers several benefits in the classroom. The most obvious benefit is learning from the comments and criticisms of other students. While direct feedback from the instructor might be of greater value, peer student feedback is clearly an underutilized resource. Also, since students must communicate effectively with one another the system encourages communication skill development. It is often easier to communicate with the instructor concerning subject matter than classmates. The system also allows students to review other team members (anonymously) in the case of group assignments or projects. Finally, by automating some aspects of the assignment grading process it allows the instructor (and assistants) more time for other useful activities such as planning, increased class size and longer coffee breaks.

PG System Overview

The system recognizes two types of users: admin and student. To access the system, all users are authenticated. From the main view there are options for student and admin users. Admin options are suppressed when a student is authenticated.

After a student logs in he is presented with two options on the main view: submit an assignment or review and assignment. Each option has a drop down window allowing assignment selection. If the student chooses to submit an assignment he is allowed to upload a file from his local system to the PG System. If the submission is out of date (that is, if the due date has been exceeded) a submission is not allowed. If the student chooses to submit a review he first chooses an assignment (as with the submission option) and then is offered a selection of other submissions to review. The reviewer is then allowed access to the file submission and then submit comments and a grade which are associated with the submission. The original submitter can view the grades and comments.

When an administrator logs into the PG System and enters the admin area he is presented with several options. First submission assignments are created (with explicit due dates). (The student list for the assignment must be created using an external text editor or script.) Next review assignments are created and associated with a specific submission assignment. When review assignments are created an explicit due date is specified and the grading method and details are specified. Finally there is an option which allows the administrator to specify the number of submissions each student must review and the number (if any) of reviews each student must review. The PG System then randomly assigns submissions with reviewers and reviews with reviewers in an evenly distributed fashion. There are also options for web publishing of completed assignments, viewing reports, specifying review parameters for team assignments or projects and email review notification options.

PG System Enhancement Requirements

1.  Read Protection for Submissions
An option to read-protect every submission--so no other user can read it. (Read-protection needs to be turned on, if it is desired for submissions to be on the Web while they area under review, and turned off when projects are "published" to the Web.) Presently it is possible for students to “walk” the assignment directory tree and view the submissions of other students. This enhancement will make all submissions and reviews private. Submissions will be accessible only to submitters, assigned reviewers and administrators. The administrative user can, at his discretion, make submissions universally available using the web publishing option in the administrative area.

  1. Administrative Graphical File View
    A way for an administrator to view all files from a graphical interface that has keyboard shortcuts. (E.g., the administrator should be able to walk the directory tree from /public on down.) Presently, an administrator can only view the directory tree outside of PG System tools. This enhancement will create an option in the administrative area to view the directory file structure and access files directly. Keyboards shortcuts will be created including shortcuts to navigate a directory listing with cursor keys, using an alphanumeric key to forward to the first file beginning with that character, etc
  2. Administrative Review View
    A way for an administrator to view reviews and reviews of reviews associated with a submission without having to log in as the student who submitted it. Presently there is no feature which allows the administrator to access a particular students files and reviews without logging in and ‘becoming’ the student. This enhancement will create a new option in the administrative area which allows the administrator to choose an assignment and student and view all of his submissions and reviews.
  3. Logout Function
    A logout function for PG (to allow logging in as a different user without closing the browser). It is acceptable to provide the option to log out only on the PG home page. An inelegant feature of the PG System is the lack of a logout option. To logout the user must exit his web browser. If a user wants to access the system under a different id he must first exit his current web browser and open a new browser and then login as the different user. This enhance will create a button feature which will end the current users session and allow another user to login without restarting the current browser window. This button will be placed on the PG System Login Page.

Architectural Design

Architectural changes to the PG system will be made to both the Tomcat configuration and the current set of PG servlets. The architectural changes necessary implement the proposed PG System Enhancements are shown below.

Read Protection for Submissions

Modifications involve changes to the configuration of Tomcat to disable automatic directory listings in the configuration file. The user will be required to login using the process defined in the final bullet point detailed below and download a submission instead of relying on the directory listing facilities of Tomcat.

Administrative Graphical File View

Changes include the addition of a new link from the LinkPage available only to administrators that links to a new view, DirectoryViewPage. DirectoryViewPage will accept a directory path below the /public directory as a query. It will print a table of the directories and files located within that directory. Both files and directories will be hyperlinks. Clicking on a filename will bring up a download dialog and clicking on a directory will invoke DirectoryViewPage with a the new extended path.

Administrative Review View

The Administrator must have access to a new view that allows selection on an assignment and subsequently selection and viewing of reviews or reviews of reviews of the submitted work. We will implement a page allowing the administrator to select form a dropdown menu of assignments. The next page will process the selected assignment and display a table showing users that have made submissions and links to their reviews and reviews of reviews. This may necessitate some modifications to the pages that currently show reviews and reviews of reviews in addition to the changes already described.

Logout Function

Tomcat manages the current login system for PG. In order to log a user out of the system, HTTP Basic authentication (used by Tomcat) must be bypassed and the servlets must be given the responsibility for management. The realm configuration for Tomcat will be removed to prevent it from HTTP basic authentication. The current LoginPage will be renamed and will now display a form for username and password entry to the user. That form will submit to AuthenticationServlet which will delegate to Authentication to determine whether or not to allow the user. Authentication has the responsibility of validating username and password against a data store of valid usernames and passwords. Once Authentication has determined access should be granted, it will store a token in the user’s session indicating that authentication has taken place. All subsequent servlets will delegate to Authentication to determine if the current user has been authenticated and if that user has not, he will be automatically redirected to the LoginPage. This will prevent unauthorized direct access to servlets.

Use Cases

Read Protection for Submissions

·  Case One: File navigation
1. A user views their submissions and the address bars displays the file path
2. The user replaces the file name with a different web server directory name.
3. The user is presented with a Tomcat error page.

·  Case 2: Review email
1. A reviewer receives an email with a link of a file to be reviewed.
2. The user selects the link and is presented with the Login page.
3. The user logs in and is presented with the file to review.

·  Case 3: Illegal User View
1. A user tries to view a file they did not submit and are not authorized to review..
2. The user is presented with a Tomcat error page.

·  Case 4: Administrator File navigation
1. The administrator is able to view the directory structure or file in all cases.

Administrative Graphical File View

1. An administrator logs in and is presented the LinkPage.
2. The administrator selects the DirectoryViewPage link.
3. The user is presented with the DirectoryViewPage, which display a link to the public directory.

Administrative Review View

1. An administrator logs in and is presented the Link Page.
2. The administrator selects the Review link.
3. The user is presented with the Review Page, which display a table of current reviews and users.

Logout Function

1. A logged in user navigates to the LinkPage.
2. The user selects the Logout button.
3. The user is directed to the PG System Homepage and cannot access the PG system without logging in again.

Test Cases

Read Protection for Submissions

·  Test Case 1:
A user should log into the system and try to navigate to any of the webservers directories. The user should be presented with a Tomcat error page.

·  Test Case 2:
Assuming that several assignments and users have already been created, each created user should submit a file. Users should verify that they are able to view the file they submitted. When a users file is displayed, the address bar should display a number followed by a “/<filename>”. The user should then change that number to any other number according to the number of users that have submitted a file in an effort to subvert the system. The user should then be presented with a Tomcat error page.

·  Test Case 3:
Assuming that several assignments and users have already been created, each created user should submit a file. A user should then view a file they submitted. When the file is displayed, the address bar should display number followed by a “/<filename>”. The user should then delete the "/<#>/<filename>" to navigate to the top level directory. The user should be presented with a Tomcat error page.

·  Test Case 4:
An administrator should also try each test case above, but they should be able to view the file or the directory structure.

Administrative Graphical File View

·  Test Case 1:
This requirement is tested by logging in as an administrator and from the LinkPage selecting the “Directory” hypertext link. The administrator should then be able to view the "public" directory tree structure.

·  Test Case 2:
Verify that a student user’s LinkPage does not display the “Directory” hypertext link.

Administrative Review View

·  Test Case 1:
This requirement should be accessible only to administrators. Non-administrators should logon and verify that the “Review” link is not present.

·  Test Case 2:
An administrator logs in and proceeds to the LinkPage. The “Review” link should be selected. Then an assignment should be selected and the action submitted. The administrator should be presented with a table similar to the following. When a filename is selected, the user should be presented with the grade page.

User / Submission / Review / Review of Review
Name / Filename / Yes or No / Yes or No

Logout Function

·  Test Case 1:
After successful login, the user should navigate to the PG LinkPage and exercise the newly added logout button. The user should be taken to the PG homepage. The user then should verify that he has been logged out by trying to access the PG System again. The user should be prompted for a new login.

·  Test Case 2:
After successful login, the user should navigate to the PG LinkPage and exercise the newly added logout button. The user should be taken to the PG homepage. At this point the user should use the ‘back’ function on his browser. The user should be logged out and receive an error message from Tomcat.

Security and Visibility Enhancements for the PG System Team 5b