2.7 Conclusions


2.7    Conclusions

In the early days of the WWW, it was assumed that the resources made available by Web servers were inherently public and that there would be no need for such things as user authentication, authorization, and access control. Since then, however, the situation has changed fundamentally and the WWW is also used for the distribution of protected material. Consequently, there is urgent need for proper user authentication, authorization, and access control mechanisms.

The simplest mechanism to control access to Web resources is to use hidden URLs. Also, most Web servers can be configured to restrict access to a particular group of computers based on those computers address information (IP addresses or DNS hostnames). Most importantly, some Web servers provide support for the HTTP user authentication and authorization schemes that are described in this chapter: HTTP basic authentication and HTTP digest access authentication. Unfortunately, the HTTP digest access authentication scheme is not widely deployed. This is because HTTP digest access authentication is always less secure than a full-fledged cryptographic security protocol, such as SSL or TLS. Consequently, some browsers implement SSL or TLS and leave beside HTTP digest access authentication. As mentioned in this chapter and further addressed in Chapter 6, SSL and TLS employ certificate-based authentication mechanisms.

In practice, many Web servers are configured to allow access to all users from computers located on the same network (i.e., intranet), whereas they allow access to other users only after proper authentication and authorization. For example, the .htaccess file of an Apache Web server could be extended as follows :

 AuthType Basic AuthName "HTTP Basic Authentication Demo" AuthUserFile /home/esecurity.ch/conf/passwords AuthGroupFile /home/esecurity.ch/conf/groups Require valid-user Allow from esecurity.ch Satisfy any 

The extension (i.e., the allow and satisfy directives) would make sure that either a valid user is requesting the resource (i.e., the require validuser directive), or a request is originating from the esecurity.ch domain (i.e., the allow from esecurity.ch directive). [17] It is also possible to deny access for specific computers using the deny directive, and to define an order of preference (regarding the allow and deny directives). In general, it is possible to express any access control condition using the allow , deny , order , and satisfy directives.

[17] The satisfy any directive says that either of the two conditions must hold.




Security Technologies for the World Wide Web
Security Technologies for the World Wide Web, Second Edition
ISBN: 1580533485
EAN: 2147483647
Year: 2003
Pages: 142
Authors: Rolf Oppliger

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net