Authentication and Authorization in web applications
-
Upload
brandice-james -
Category
Documents
-
view
44 -
download
0
description
Transcript of Authentication and Authorization in web applications
![Page 1: Authentication and Authorization in web applications](https://reader035.fdocuments.net/reader035/viewer/2022072013/56812b4c550346895d8f6f4a/html5/thumbnails/1.jpg)
Authentication and Authorizationin web applications
Presentation by:
Kaushal Kumar
![Page 2: Authentication and Authorization in web applications](https://reader035.fdocuments.net/reader035/viewer/2022072013/56812b4c550346895d8f6f4a/html5/thumbnails/2.jpg)
Need of “Auth & Auth” services
1. To allow only genuine users
2. To check for security risks like sql - injection
3. To generate various roles for various users
4. To enforce role-based access control
5. To make “auth & auth” independent of actual web-app development
![Page 3: Authentication and Authorization in web applications](https://reader035.fdocuments.net/reader035/viewer/2022072013/56812b4c550346895d8f6f4a/html5/thumbnails/3.jpg)
“Auth & Auth” frameworks as pluggable components !!!
most widely used:
“auth & auth” frameworks built on JAAS APIs
![Page 4: Authentication and Authorization in web applications](https://reader035.fdocuments.net/reader035/viewer/2022072013/56812b4c550346895d8f6f4a/html5/thumbnails/4.jpg)
JAAS
(Java Authentication and Authorization Service)
• Set of APIs provided by SUN, present in “javax.security. xxx” package
• a relatively new API
was an extension in J2SE 1.3
became a core API in J2SE 1.4
now also a part of J2EE 1.3 specs
• an abstraction layer between application level code and disparate underlying auth & auth mechanisms
![Page 5: Authentication and Authorization in web applications](https://reader035.fdocuments.net/reader035/viewer/2022072013/56812b4c550346895d8f6f4a/html5/thumbnails/5.jpg)
A high-level overview of how JAAS achieves this pluggability
Taken from:
Article by: J. Musser and P. Feuer on JavaWorld.com, 09/13/02
![Page 6: Authentication and Authorization in web applications](https://reader035.fdocuments.net/reader035/viewer/2022072013/56812b4c550346895d8f6f4a/html5/thumbnails/6.jpg)
Overall Workflow of an “auth & auth” framework
1. AUTHENTICATION :
![Page 7: Authentication and Authorization in web applications](https://reader035.fdocuments.net/reader035/viewer/2022072013/56812b4c550346895d8f6f4a/html5/thumbnails/7.jpg)
Overall Workflow of an “auth & auth” framework
2. AUTHORIZATION :
Step 1:User is authenticated
Step 2:Principal-based entries are read
from the policy file
Step 3:The subject is associated with
Access-controls
Step 4:Each subsequent security-checks
Java runtime checks foraccess-controls
access granted access denied
![Page 8: Authentication and Authorization in web applications](https://reader035.fdocuments.net/reader035/viewer/2022072013/56812b4c550346895d8f6f4a/html5/thumbnails/8.jpg)
What a web-app developer needs to do ?
1. Choose the login-modules based on the web-app specs
2. Get the jars, put in the lib/classpath
3. Specify the login-modules in the java security policy file
4. Specify roles and role-based access controls in the policy file
DONE !!!
Move on with the actual web-app development.