Remote Authenticator /Authorizer

26
Remote Authenticator /Authorizer Instructor: 張張張 張張 Student: 張張張

description

Remote Authenticator /Authorizer. Instructor: 張顧耀 老師 Student: 曾冠樺. Author and Source. Author: Eduardo B. Fernandez and Reghu Warrier Dept. of Computer Science and Eng.Florida Atlantic University Boca Raton, FL, USA Source: PLoP 2003. Outline. Introduction Intent Example - PowerPoint PPT Presentation

Transcript of Remote Authenticator /Authorizer

Page 1: Remote Authenticator /Authorizer

Remote Authenticator /Authorizer

Instructor: 張顧耀 老師Student: 曾冠樺

Page 2: Remote Authenticator /Authorizer

Author and Source

Author:

Eduardo B. Fernandez and Reghu Warrier

Dept. of Computer Science and Eng.Florida

Atlantic University Boca Raton, FL, USA Source:

PLoP 2003

Page 3: Remote Authenticator /Authorizer

Outline

Introduction Intent Example Problem of this Example Forces Solution Implementation Consequence

Page 4: Remote Authenticator /Authorizer

Introduction

Many distributed systems need to access shared resources.

We need a secure and easily manageable authentication and authorization mechanism.

Page 5: Remote Authenticator /Authorizer

Introduction

We present here a pattern called remote authentication/authorization pattern.

This is a composite pattern consisting of two known patterns:

1. Proxy.

2. Role-Based Access Control.

Page 6: Remote Authenticator /Authorizer

Intent

Provide facilities for authentication and authorization when accessing shared resources in a loosely-coupled distributed system.

Page 7: Remote Authenticator /Authorizer

Example

A multinational corporation in the US and Brazil.

Assume an employee from the US is traveling to Brazil and has the need to access some data from the Brazilian database servers.

Page 8: Remote Authenticator /Authorizer

Example

There are two possible ways to achieve this

1. Replicate.

2. Borrow.

Both of these solutions have their disadvantages.

Page 9: Remote Authenticator /Authorizer

Problem of this example

How can we provide authentication and authorization in a distributed environment without the need for redundant user login information?

The changes of the consumer activities.

Page 10: Remote Authenticator /Authorizer

Forces

No more redundant.

Transparent.

Standardize the roles.

Keep the user ID.

Page 11: Remote Authenticator /Authorizer

Solution

Set up a single entry point that can transparently redirect the user to the correct server where his user login and access information can be validated.

Page 12: Remote Authenticator /Authorizer

Solution: Proxy Pattern

Definition:

Provide a surrogate or placeholder for another object to control access to it.

Page 13: Remote Authenticator /Authorizer

Solution: Proxy Pattern

{   // Mainapp test application

  class MainApp  {    static void Main()    {      // Create math proxy       MathProxy p = new MathProxy();

      // Do the math       Console.WriteLine("4 + 2 = " + p.Add(4, 2));      Console.WriteLine("4 - 2 = " + p.Sub(4, 2));      Console.WriteLine("4 * 2 = " + p.Mul(4, 2));      Console.WriteLine("4 / 2 = " + p.Div(4, 2));

      // Wait for user       Console.Read();    }  } 

Page 14: Remote Authenticator /Authorizer

Solution: Proxy Pattern   // "Subject"

  public interface IMath  {    double Add(double x, double y);    double Sub(double x, double y);    double Mul(double x, double y);    double Div(double x, double y);  }

  // "RealSubject"

  class Math : IMath  {    public double Add(double x, double y){return x + y;}    public double Sub(double x, double y){return x - y;}    public double Mul(double x, double y){return x * y;}    public double Div(double x, double y){return x / y;}  }

Page 15: Remote Authenticator /Authorizer

Solution: Proxy Pattern  // "Proxy Object"

  class MathProxy : IMath  {    Math math;

    public MathProxy()    {      math = new Math();    }

    public double Add(double x, double y)    {       return math.Add(x,y);     }    public double Sub(double x, double y)    {       return math.Sub(x,y);     }    public double Mul(double x, double y)    {       return math.Mul(x,y);     }    public double Div(double x, double y)    {       return math.Div(x,y);     }  }}

Page 16: Remote Authenticator /Authorizer

Solution: Role Based Access Control Pattern Problem:

Web-based systems have a variety of users: company employees, customers, partners, search engines, etc.

How to assign rights to users according to their roles.

Page 17: Remote Authenticator /Authorizer

Solution: Role Based Access Control Pattern Forces:

1. Different needs for access to information.

2. Storing.

3. Define precisely.

4. Users may have more than one role.

5. Hierarchies of roles, with inheritance of rights.

6. to individual users or to groups of users.

Page 18: Remote Authenticator /Authorizer

Solution: Role Based Access Control Pattern

Classes User and Role describe the registered users and the predefined roles, respectively. Users are assigned to roles, roles are given rights according to their functions. The association class Right defines the access types that a user within a role is authorized to apply to the protection object. In fact, the combination Role, ProtectionObject, and Right is an instance of the Authorization pattern.

Page 19: Remote Authenticator /Authorizer

Solution: Role Based Access Control Pattern

Page 20: Remote Authenticator /Authorizer

Solution

Page 21: Remote Authenticator /Authorizer

Implementation

Remote Authentication Dial-In User Service (RADIUS) is a widely deployed IETF protocol enabling centralized authentication, authorization, and accounting for network access

Page 22: Remote Authenticator /Authorizer

Implementation

Page 23: Remote Authenticator /Authorizer

Implementation

Page 24: Remote Authenticator /Authorizer

Consequence: Advantage

1. Roaming.

2. Store the user login and access rights at a single location.

3. The user's login ID, password etc. are stored in the internal RADIUS database or can be accessed from an SQL Database.

4. Transparent.

5. Units such as active cards [ACS] allow complex request/challenge interactions.

Page 25: Remote Authenticator /Authorizer

Consequence: Disadvantage

The additional messages used increase overhead, thus reducing performance for simple requests.

The system is more complex than a system that directly validates clients.

Page 26: Remote Authenticator /Authorizer

The End

Thank You!!!