Authentication and Authorizationin web applications

Presentation by:

Kaushal Kumar

kk2457@columbia.edu

Need of “Auth & Auth” services

1. To allow only genuine users

2. To check for security risks like sql - injection

3. To generate various roles for various users

4. To enforce role-based access control

5. To make “auth & auth” independent of actual web-app development

“Auth & Auth” frameworks as pluggable components !!!

most widely used:

“auth & auth” frameworks built on JAAS APIs

JAAS

(Java Authentication and Authorization Service)

• Set of APIs provided by SUN, present in “javax.security. xxx” package

• a relatively new API

was an extension in J2SE 1.3

became a core API in J2SE 1.4

now also a part of J2EE 1.3 specs

• an abstraction layer between application level code and disparate underlying auth & auth mechanisms

A high-level overview of how JAAS achieves this pluggability

Taken from:

Article by: J. Musser and P. Feuer on JavaWorld.com, 09/13/02

Overall Workflow of an “auth & auth” framework

1. AUTHENTICATION :

Overall Workflow of an “auth & auth” framework

2. AUTHORIZATION :

Step 1:User is authenticated

Step 2:Principal-based entries are read

from the policy file

Step 3:The subject is associated with

Access-controls

Step 4:Each subsequent security-checks

Java runtime checks foraccess-controls

access granted access denied

What a web-app developer needs to do ?

1. Choose the login-modules based on the web-app specs

2. Get the jars, put in the lib/classpath

3. Specify the login-modules in the java security policy file

4. Specify roles and role-based access controls in the policy file

DONE !!!

Move on with the actual web-app development.