Post on 30-Dec-2015
description
Authentication and Authorizationin web applications
Presentation by:
Kaushal Kumar
kk2457@columbia.edu
Need of “Auth & Auth” services
1. To allow only genuine users
2. To check for security risks like sql - injection
3. To generate various roles for various users
4. To enforce role-based access control
5. To make “auth & auth” independent of actual web-app development
“Auth & Auth” frameworks as pluggable components !!!
most widely used:
“auth & auth” frameworks built on JAAS APIs
JAAS
(Java Authentication and Authorization Service)
• Set of APIs provided by SUN, present in “javax.security. xxx” package
• a relatively new API
was an extension in J2SE 1.3
became a core API in J2SE 1.4
now also a part of J2EE 1.3 specs
• an abstraction layer between application level code and disparate underlying auth & auth mechanisms
A high-level overview of how JAAS achieves this pluggability
Taken from:
Article by: J. Musser and P. Feuer on JavaWorld.com, 09/13/02
Overall Workflow of an “auth & auth” framework
1. AUTHENTICATION :
Overall Workflow of an “auth & auth” framework
2. AUTHORIZATION :
Step 1:User is authenticated
Step 2:Principal-based entries are read
from the policy file
Step 3:The subject is associated with
Access-controls
Step 4:Each subsequent security-checks
Java runtime checks foraccess-controls
access granted access denied
What a web-app developer needs to do ?
1. Choose the login-modules based on the web-app specs
2. Get the jars, put in the lib/classpath
3. Specify the login-modules in the java security policy file
4. Specify roles and role-based access controls in the policy file
DONE !!!
Move on with the actual web-app development.