1 / 8

Authentication and Authorization in web applications

Authentication and Authorization in web applications. Presentation by : Kaushal Kumar kk2457@columbia.edu. Need of “Auth & Auth” services. To allow only genuine users To check for security risks like sql - injection To generate various roles for various users

brandice-james
Download Presentation

Authentication and Authorization in web applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication and Authorizationin web applications Presentation by: Kaushal Kumar kk2457@columbia.edu

  2. Need of “Auth & Auth” services • To allow only genuine users • To check for security risks like sql - injection • To generate various roles for various users • To enforce role-based access control • To make “auth & auth” independent of actual web-app development

  3. “Auth & Auth” frameworks as pluggable components !!! most widely used: “auth & auth” frameworks built on JAAS APIs

  4. JAAS (Java Authentication and Authorization Service) • Set of APIs provided by SUN, present in “javax.security. xxx” package • a relatively new API • was an extension in J2SE 1.3 • became a core API in J2SE 1.4 • now also a part of J2EE 1.3 specs • an abstraction layer between application level code and disparate underlying auth & auth mechanisms

  5. A high-level overview of how JAAS achieves this pluggability Taken from: Article by: J. Musser and P. Feuer on JavaWorld.com, 09/13/02

  6. Overall Workflow of an “auth & auth” framework 1. AUTHENTICATION :

  7. Overall Workflow of an “auth & auth” framework 2. AUTHORIZATION : Step 1: User is authenticated Step 2: Principal-based entries are read from the policy file Step 3: The subject is associated with Access-controls Step 4: Each subsequent security-checks Java runtime checks for access-controls access granted access denied

  8. What a web-app developer needs to do ? • Choose the login-modules based on the web-app specs • Get the jars, put in the lib/classpath • Specify the login-modules in the java security policy file • Specify roles and role-based access controls in the policy file • DONE !!! • Move on with the actual web-app development.

More Related