The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service...
-
Upload
dalton-vance -
Category
Documents
-
view
221 -
download
2
Transcript of The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service...
![Page 1: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/1.jpg)
The Raven Web Authentication Service
Jon Warbrick University of Cambridge Computing Service
![Page 2: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/2.jpg)
What is it?
● Some software– grandly entitled 'The University of Cambridge
Web Authentication System' (ucam-webauth)
● A centrally-managed authentication server– the real 'Raven'
● What does it give you?– an authenticated identity for a web browser user
● Why authentication, why ANOTHER system?
![Page 3: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/3.jpg)
Why do we need authentication?
● Much of the time we don't and shouldn't– the web succeeded because it was free
● But sometimes we do– to control access
– so we know who we are talking to
– to provide customisation, user privacy, etc.
● AAA - Access control, Authentication, Authorization
![Page 4: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/4.jpg)
IP address-based andDNS name-based
● Only does access control● Too lax
– just who has access to a .cam.ac.uk host?
– open proxies
● Too restrictive– working at home, in another department, etc.
● But in practice it's all we've got...– ... at the moment
![Page 5: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/5.jpg)
Public/private keys and PKI
● Client keys/certificates supported in https:● But https: can be overkill● Transporting keys is tricky:
– Please memorise your new 1024-bit private key:– MIICXQIBAAKBgQDf+LNk7CvEBGM5EgJBhhN7sh0yDZdOqVBlmfL5xHJvn3feRGSy
MLvIWiBxZNkYUUOKDPdr/kj3i+FQ+W4udpUscIj6g6OZHhaH1JgdFrfUHu1Jgb8cuTWzTM2yaWj0zcPS8ca4sHGYVzXrUQR7HHMgJjcaLd9QL0rhsnXHcZF9FwIDAQABAoGAcI7kWUv3ksNBumS6jYN8NyYEVitOZ1Hf/a+o1K1NdZuG+kUU9hhXxxDETTiJghcVAkQR9EwPD5lU2wT/wooF3SZ8fvCQz8aynUepdtfvDxh5576sAFNIifFenT6JO8n7k7E+k/nCczioniPWnxuI4XA0oJs7j8QJnaarHUGvvEECQQD9s+CSyWGkvTodHu/q6+vbDQflvxL0sVWGr+6xkI3XdBj/oKIOapgHjZx/Xl9eJB6lpnYlH5LKW2EWEPWIwOolAkEA4f/m6bQY0o9ut5uDGDnJ/Ivf6xDFzySw5TPZgPN+wKdrf3gQmUWkImwAX7ImDHhxK9O6W7p+SJH3/yGyKOJ/iwJBAJfNf7yU/vYBu7oc/tWEYNXrUCRqVj9PtKsorhxVMGoQr7yVMyKJKXqrg066+zlrR2M63UqNP9oRH2CCuUgglnkCQEc7ENy4FtrGum7EZR1NmYwvyfOc5bvUJK0ZGoS6Okkee5NBlHm6qXDv+W4wCC4GCCV4JlSjAwp8d13CkRSxzuECQQDsuG/4/a2w3rBfxcE43wbSTC6PPWJa7WUcx8jQy6s8lHl+ticOSiYv4YqO0djPgBN8EzV7Axy15VFUO7RLutKs
![Page 6: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/6.jpg)
So that leaves us with passwords
● Passwords are well known but little understood
● Users accumulate user-name/password pairs– which they can't remember
– so they use the same ones in lots of different places
● Administrators have to create, issue, re-issue and revoke accounts
![Page 7: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/7.jpg)
Passwords (cont)
● HTTP 'Basic authentication' ● Form-based authentication
– send unencrypted passwords in clear
– this can be resolved with https:
– but we've already said https: can be overkill
● HTTP 'Digest authentication' resolves many problems, but has others of it's own
![Page 8: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/8.jpg)
A central password server?
● Web server asks user for user-name/password
● Web server sends user-name/password for validation to central server
● If validation succeeds, the web server gives the user the resource they want
● ... and can now impersonate the user on every other web server in the system
![Page 9: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/9.jpg)
... and so to Raven
● It's a ...– ... centrally managed ...
– ... password based ...
– ... authentication service for web applications ...
– ... that doesn't give away users' passwords
● Relies on features of HTTP and common browsers, hence limited to web contexts
![Page 10: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/10.jpg)
How does it work?
![Page 11: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/11.jpg)
Start with a web browser
Browser[br]
![Page 12: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/12.jpg)
User requests a URL
Browser[br]
Web Server[ws]
1
br ws : URL
![Page 13: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/13.jpg)
Web server redirects to auth service
Browser[br]
Web Server[ws]
12
ws br : redirect(authURL+request(URL))
![Page 14: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/14.jpg)
Browser contacts auth service
Browser[br]
Web Server[ws]
Auth Server[as]
123
br as : authURL+request(URL)
![Page 15: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/15.jpg)
Auth service and user interact
Browser[br]
Web Server[ws]
Auth Server[as]
1235 4
![Page 16: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/16.jpg)
Auth service redirects to URL+response
Browser[br]
Web Server[ws]
Auth Server[as]
12356 4
*
as br : set_cookie(id), redirect(URL+response(id))
![Page 17: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/17.jpg)
Browser requests URL+response
Browser[br]
Web Server[ws]
Auth Server[as]
12356 74
*
br ws : URL+response(id)
![Page 18: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/18.jpg)
Web server redirects to original URL
Browser[br]
Web Server[ws]
Auth Server[as]
12356 7 84
* *
ws br : set_cookie(id), redirect(URL)
![Page 19: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/19.jpg)
Browser requests URL (again)
Browser[br]
Web Server[ws]
Auth Server[as]
12356 7 8 94
* *
br ws : URL, cookie(id)
![Page 20: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/20.jpg)
and then...
● Subsequent requests to WS authenticated by the local cookie, until it expires
● Subsequent visits to AS can be partially or completely satisfied by the AS cookie until it expires
● The best way to logout is to quit the browser
![Page 21: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/21.jpg)
So what does all this look like?
![Page 22: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/22.jpg)
Request http://mnementh.csi.cam.ac.uk/raven-test/new-open/document1.html
![Page 23: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/23.jpg)
Enter user-id and password and click 'Submit' to get:
![Page 24: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/24.jpg)
Request http://mnementh.csi.cam.ac.uk/raven-test/new-open/document2.html
![Page 25: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/25.jpg)
Request http://raven.cam.ac.uk/project/testfiles/document1.html
![Page 26: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/26.jpg)
Enter user-id and password and click 'Submit' to get:
![Page 27: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/27.jpg)
Timeout: return to our first document later:
![Page 28: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/28.jpg)
Click 'Continue' to get:
![Page 29: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/29.jpg)
Request http://mnementh.csi.cam.ac.uk/raven-test/private/document1.html
![Page 30: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/30.jpg)
Click 'Continue' and get:
![Page 31: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/31.jpg)
Click 'Cancel' anywhere and get:
![Page 32: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/32.jpg)
Choose 'override login options':
![Page 33: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/33.jpg)
... and get
![Page 34: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/34.jpg)
Account management:
![Page 35: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/35.jpg)
Account management:
![Page 36: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/36.jpg)
Account management:
![Page 37: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/37.jpg)
What doesn't it do?
● Authorization● People without CRSids● POST requests (properly, yet)● Central logout● Anything that isn't web-based● Security
![Page 38: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/38.jpg)
How do you use it?
● Protocol specification http://raven.cam.ac.uk/project/waa2wls-protocol.txt
● Pseudo-code Application Agenthttp://raven.cam.ac.uk/project/algorithm.txt
● ... but that's the hard way
![Page 39: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/39.jpg)
Apache
● mod_ucam_webauth (for Apache 1.3 and 2)● LoadModule ucam_webauth_module \ modules/mod_ucam_webauth.soAACookieKey afef845ce49666ab04b36976a<Directory "/cam-only"> Order allow,deny Allow from .cam.ac.uk AuthType WebAuth Require valid-user Satisfy any AADescription 'Cam-only area'</DirectoryMatch>
![Page 40: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/40.jpg)
Apache (cont)
● Also supports– Require user jw35, rjd4– Require group cs-staff– Satisfy any
● Sets REMOTE_USER environment variable (just like basic auth) and others
● Should be able to use group files, DBM files, databases, ...
![Page 41: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/41.jpg)
Perl CGI script
● #!/usr/bin/perl -w
use Ucam::WebAuth::CGIAA;
my $aa = Ucam::WebAuth::CGIAA->new (cookie_key=>'eb78ba43b0222f28498');
my ($complete, $headers) = $aa->authenticate;print $headers if $headers;exit unless $complete;
my $userid = $aa->principal if $aa->success;
![Page 42: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/42.jpg)
... and more
● A beta release of a PHP module – needs work – any volunteers?
● A JAAS implementation for Java servlet containers (e.g. Tomcat) by CARET
● A Ruby implementation by Thomas Counsell of Clare College
● Anyone for IIS ?
![Page 43: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/43.jpg)
The project plan
● Now– Available on request for testing and pilot
deployments
● Late June (perhaps July...)– Passwords available to everyone
– Available to all cam.ac.uk web servers
● 1 September 2004– Supported service
![Page 44: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/44.jpg)
Where do you go from here?
● Pilots● Deployment from June● Consider expanding 'ucam-only’ access● http://www.cam.ac.uk/cs/raven/● [email protected]
![Page 45: The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk.](https://reader030.fdocuments.net/reader030/viewer/2022020803/551c3cd755034693488b48f4/html5/thumbnails/45.jpg)
If you have been, thanks for listening
I expect you have some questions