User Authentication Over the Web

Previous page
Table of content
Next page
     

User Authentication Over the Web

First, let's review the standard user authentication mechanisms for Web applications. There is HTTP Basic Authentication and SSL V3 Client Certificate Authentication.

The basic authentication protocol, also referred to as "name and password authentication," is defined as part of HTTP. It specifies that a server can request authentication (challenge) in response to any request from a client and requires the user agent (browser) to provide a name and password in the subsequent request header. The server's challenge is made relative to a server-specified realm (a text name) and is only valid for that realm. (A realm can be thought of as the set of URLs with the same root path or, in other words, the same host name and path qualifiers as the URL that was challenged.) The user agent may send the name and password in request headers for other URLs in the same realm without being challenged by the server. (In fact, most browsers do this to avoid repeatedly prompting the user for name and password.)

Note that basic authentication should be done over an encrypted connection, using SSL for example. This is because the userid /password is exposed in a simple BASE64 encoding in the HTTP request header.

Client certificate authentication is defined as part of the SSL V3 or TLS protocols. When used with HTTP over SSL/TLS ("HTTPS"), it requires that the HTTPS client send an X.509 certificate representing the client as part of the request header. The X.509 certificate contains the user's name and public key and is signed by a Certificate Authority (CA). The server verifies the client certificate; that is, it checks the CA signature (so that it can trust that the public key belongs to the named user) and then verifies the user's identity by checking that the client system possesses the private key associated with the public key (via an encrypted message exchange using the public/private keys). After this verification process, the server can simply authorize the client's access to the server or its resources based on the authenticated user name. In other words, once the SSL certificate authentication processing has determined that the client is who they say they are, the server simply verifies that the user name is known to it as an authorizied user.

In addition to these authentication mechanisms, there are mechanisms used to persist the user's authentication within an HTTP session. These are referred to as "session based authentication" mechanisms and usually make use of an authentication token, which is kept by the browser. The most common way tokens are maintained between the browser and server is to store the token as part of an HTTP "cookie." Both Domino and WebSphere support session-based authentication.


Previous page
Table of content
Next page
IBM WebSphere and Lotus Implementing Collaborative Solutions
IBM(R) WebSphere(R) and Lotus: Implementing Collaborative Solutions
ISBN: 0131443305
EAN: 2147483647
Year: 2003
Pages: 169
Authors: John Lamb, Michael Laskey, Gopal Indurkhya
BUY ON AMAZON
Java I/O
Interprocess Communications in Linux: The Nooks and Crannies
Metrics and Models in Software Quality Engineering (2nd Edition)
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
Extending and Embedding PHP
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy