< Day Day Up > |
Authentication is the process to prove the identity of an entity or principal. In a J2EE environment, a principal may be
The requests to access Web resources are submitted as HTTP requests . Therefore, the means of authentication are tied to HTTP capabilities, with certain enhancements introduced at the J2EE Web application layer. 4.5.1 Login-Configuration PolicyIn order to authenticate the caller, authentication data needs to be retrieved so that it can be used to perform the authentication. The authentication data ”for example, user ID and password ”can be retrieved in many ways. In the case of HTTP, it is possible to use the HTTP authentication mechanism, whereby user ID and password are expected in a specific HTTP header. Because the HTTP authentication mechanism does not involve a user-friendly HTML form, J2EE allows for an enhanced mode by which the user ID and password can be sent to the WAS. As part of the login-configuration details of a J2EE Web application, an Application Assembler and/or a Deployer can specify the approach by which a user's authentication data should be obtained. This is done in the deployment descriptor, web.xml , bundled in the Web application's WAR file. The authentication method is specified through the auth-method element in the login-config descriptor. The auth-method element indicates which authentication mechanism should be used to obtain the authentication data. As we saw in Section 3.9.1.1 on page 78, there are three types of authentication methods :
The following subsections describe each of these authentication methods in detail. 4.5.1.1 HTTP Authentication MethodThe specification for HTTP authentication is described in Request for Comments (RFC) 2617. [1] The two modes of HTTP authentication ”basic and digest ”are implemented by HTTP. Therefore, when an HTTP client, such as a Web browser or a Java program, authenticates itself to an HTTP server, the communication between the client and the server is based on the HTTP specification.
When the HTTP authentication mode is basic, the user ID and password of the end user are submitted in cleartext as part of an HTTP header. When a client submits a request without the authentication data, a server that has been configured to perform basic authentication responds by indicating that this type of authentication is required. The client must resubmit the request with a user ID and password pair. A typical HTTP communication flow with basic authentication request is summarized in Figure 4.4. Figure 4.4. Communication Flow with HTTP Basic Authentication
Suppose that the www.fabrikam456.com Web site hosts travel reservations online. When a user visits the site to make reservations , the client submits a request to http://www.fabrikam456.com/travel/reserve . The Web site has secured access to reservations by means of HTTP basic authentication. Therefore, the Web server receiving the request will send an error response indicating that basic authentication is required. The client will be asked to submit authentication data relative to a user registry, which is specified in terms of an HTTP security realm. It is possible for an end user to have accounts in multiple security realms. Therefore, in order to help the end user provide a valid user ID and password for the target realm, the Web server will also indicate a realm name when it issues an authentication response. In HTTP terminology, the Web server sends back an HTTP 401 error code. Along with the error code, the server sends back a WWW-Authenticate HTTP header, asking the client to authenticate with basic authentication by submitting a valid user ID and password pair specific to a named realm. In the scenario depicted in Figure 4.4, the server issues an HTTP 401 response with an HTTP WWW-Authenticate header, indicating that the server expects basic authentication specific to the fabrikam456 HTTP realm. A WAS can be configured to protect a Web resource with HTTP basic authentication by setting the auth-method element in the login-config descriptor to BASIC . The name of the realm to which the user must authenticate must be specified by setting the realm-name element. A sample login configuration for basic authentication requiring a user to authenticate to the fabrikam456 realm is shown in Listing 4.3. Listing 4.3. Sample Login Configuration for HTTP Basic Authentication<login-config> <auth-method>BASIC</auth-method> <realm-name>fabrikam456</realm-name> </login-config> On receiving an HTTP 401 error response from a Web server, a Web browser prompts the user for a user ID and password in a dialog box, which also shows the realm name. In the context of the scenario of Figure 4.4, the user is prompted for user ID and password for the fabrikam456 realm. When the client responds with a user ID and password, the original request ”for example, http://www.fabrikam456.com/travel/reserve ”must also be resubmitted. The authentication information is sent over as an HTTP header named Authorization . The client sends a base64-encoded version (see footnote 2 on page 78) of the user ID and password, with a colon separating these two values. For example, if user Bob Smith has user ID bob and password bobpass , the base64 encoding of the string bob:bobpass will be computed and sent as an authorization header. As discussed in Section 4.10.2 on page 149, HTTP is a stateless protocol. Therefore, the WAS processes this request as if it were a new request. The WAS will find out that the URL is protected and that it requires HTTP basic authentication. The WAS will then look for the Authorization HTTP header in the submitted request to find the userID and password information. The server extracts the user ID and password from the header by decoding the base64-encoded value and validates the values within the specified realm. In the example of Figure 4.4, the server validates the user ID and password pair in the frbrikam456 realm. If the values are correct , the client will be considered to have been successfully authenticated. If not, the WAS responds with an error message. Because the user ID and password are encoded in base64 format, which from a security point of view is equivalent to cleartext, it is highly recommended that this transaction take place over an SSL connection (see Chapter 13 on page 449). Specifically, whenever user ID and password will be sent in response to an HTTP 401 challenge, the request is recommended to be an HTTP over SSL ( HTTPS ) request. [2] For example, in the scenario depicted in Figure 4.4, the URL invoked by the client would be https://www.fabrikam456.com/travel/reserve . In J2EE, one can require basic authentication to be sent over a secure channel, as explained in Section 4.6.6 on page 133.
With digest authentication, the user ID and a hash value of the password (see Section 10.2.2.4 on page 356) are transmitted to the HTTP server as part of an HTTP header. This way, the password does not appear in cleartext, which is the biggest weakness of basic authentication. The details of how digest authentication works are explained in Chapter 3 on page 55. The authentication flow in digest authentication is similar to that in basic authentication mode. With digest authentication, however, the WWW-Authenticate HTTP header indicates that the HTTP server expects digest authentication. As we observed in Chapter 3 on page 55, in order for an HTTP server to compute the hash value of a user's password, the server must have access to the passwords of all the users. This is rarely the case in most enterprise environments, as passwords in cleartext are not retrievable from a user repository containing user ID and password information. Therefore, digest authentication has not been widely adopted in enterprise environments and hence is not required to be supported by a J2EE container. A WAS that supports digest authentication can be configured to protect a Web resource with HTTP digest authentication by setting the auth-method element in the login-config descriptor to DIGEST . The name of the realm to which the user must authenticate must also be specified by setting the realm-name element. A sample login configuration for digest authentication requiring a user to authenticate to the fabrikam456 realm is shown in Listing 4.4. Listing 4.4. Sample Login Configuration for HTTP Digest Authentication<login-config> <auth-method>DIGEST</auth-method> <realm-name>fabrikam456</realm-name> </login-config> 4.5.1.2 Form-Based Authentication MethodA user-friendly presentation layer is a key part of an enterprise's e-business Web design. Usually, the home page of an enterprise contains information about the company and the services it offers, as well as links to detailed information about the business. When online transactions are involved, a user is typically redirected to a Web page asking for user ID and password, thus enabling the user to log on to one or more applications. Typically, a Web page or section of a Web page is provided with an HTML form for a user to enter user ID and password and a button to submit the authentication data to the HTTP server. Providing the user ID and password will take the user to a page that is customized to that user and from where all the user account information can be securely accessed. For example, in our travel service scenario described on page 114, a user could log in and update credit information or view his or her travel itinerary , frequent flyer account details, and monthly billing statement. Because basic authentication has virtually no customization capabilities and is also specific to a browser's characteristics, enterprise environments choose to use a login method whereby the user ID and password information are captured in an HTML form. This form-based login is not an option in the HTTP specification and is therefore specific to the application layer. Because this is a common enterprise scenario, this mode of authentication is standardized under the Java Servlet specification by allowing the value of the auth-method element in the login-config descriptor to be set to FORM . The form-based login approach allows the WAS to use an HTML form to retrieve the user ID and password, as opposed to sending a 401 error code response as in the basic challenge type. When the value of auth-method is set to FORM , the user is redirected to the URL specified within the form-login-page element of the deployment descriptor. The form login page must contain the form elements j_username and j_password . The ACTION attribute associated with the form must be set to j_securitycheck . An example of such a login page is shown in Listing 4.5. Listing 4.5. Sample Login Web Page for Form-Based Login<HTML> <HEAD> <TITLE>Fabrikam456 Login page</TITLE> </HEAD> <BODY BGCOLOR="#FFFFFF" TEXT="#000000"> <TR><TD><HR NOSHADE SIZE="1"> <FONT SIZE="-1" FACE="Helvetica,Arial" COLOR="#996600"> <B>Please log in!</B></FONT><BR><BR></TD></TR> <CENTER> <FONT SIZE=1 COLOR="Blue"> Enter your travel account name and password in order to access our services </FONT><BR> <FORM METHOD=POST ACTION="j_security_check"> <FONT SIZE=1>Account <INPUT TYPE=TEXT NAME="j_username" SIZE=20></FONT><BR> <FONT SIZE=1>Password <INPUT TYPE=PASSWORD NAME="j_password" SIZE=20> </FONT><BR> <INPUT TYPE=SUBMIT NAME=ACTION VALUE="Submit Login"> </FORM><HR> </CENTER> </BODY> </HTML> When the ACTION attribute associated with the form is set to j_securitycheck as in Listing 4.5, the WAS extracts the user ID and password from the form and validates them. The WAS recognizes the user ID and password because these are the values that the user entered in the j_username and j_password text boxes, respectively. If the authentication fails, the user is redirected to the Web page specified by the deployment descriptor's form-error-page element. An example of deployment descriptor login configuration using FORM as the authentication method is shown in Listing 4.6. Listing 4.6. Sample Login Configuration for Form-Based Authentication<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login-failed.html</form-error-page> </form-login-config> </login-config> Typically, the URLs specified in the form-login-page and the form-error-page are relative to the context path of the Web application to which the deployment descriptor refers. The context path of a Web application is the path prefix associated with the javax.servlet.ServletContext that the servlet or the JSP application is a part of. For example, let us consider again the URL http://www.fabrikam456.com:80/travel/reserve , which we used in the scenario described on page 000. A path prefix in a URL is a substring of the URL that excludes the protocol part, host name, and port number ( http://www.fabrikam456.com:80 ); it can either be a single forward slash ( / ) or start with a forward slash and end with the last character before a subsequent forward slash. For example, in the preceding URL, the possible path prefixes are / and /travel . Of these two path prefixes, the context path for the travel Web application is /travel . Therefore, the values /login.jsp and /login-failed.html are relative to /travel . A typical HTTP communication flow with a form-based authentication request is summarized in Figure 4.5. A user who tries to access the secured resource, http://www.fabrikam456.com/travel/reserve , is redirected to the login Web page at http://www.fabrikam456.com/travel/login.jsp and presented with a login form. In the case of authentication failure, the user is redirected to the error page at http://www.fabrikam456.com/travel/login-failed.html . To protect the user ID and password during transmission, the entire HTTP transaction should be carried over the SSL protocol. [3] This implies that all the URLs in Figure 4.5 should start with https rather than http .
Figure 4.5. Form-Based Login Request Flow Scenario
4.5.1.3 Certificate-Based Authentication MethodIn public-key cryptography-based systems, the private key of a client stays with the client and is never sent over the network. The public key is available to the server, wrapped in a digital certificate (see Chapter 10 on page 372). The SSL protocol is a public-key cryptography-based mechanism widely used in a Web environment. In particular, SSL is commonly adopted to achieve integrity and confidentiality of HTTP message transactions. As we discussed on page 96, when a Web server is configured to require mutal authentication with the end client over SSL, the client authenticates the server, using the server's digital certificate, and the server authenticates the client, using the client's digital certificate. These digital certificates are exhanged during the SSL handshake ”the phase in which the client and the server establish the SSL connection (see Section 13.1.2, on page 452). Because a client's certificate is associated with a given principal on the client side of a mutual-authentication SSL connection, the client's certificate is considered a form of client authentication in a Web environment (see Figure 4.6). In such cases, successful negotiation of an SSL connection implies that the client certificate is signed by a CA trusted by the server and that the client who presented the certificate possesses the correct private key ”the one corresponding to the public key wrapped in the client certificate. It is also possible, and highly recommended, that a digital certificate be validated against a certificate revocation list (CRL) to ensure that it is still valid. The client-certificate contents can be used to derive the identity of the requester. This enables using client digital certificates to infer the identity of the clients and prove authenticity when performing authorization checks. The concepts of digital certificate, CA, and CRL are described in Section 10.3.4 on page 372. Figure 4.6. Establishing a Principal's Identity Based on Mutual-Authentication SSL
In a J2EE environment, the authentication method for a Web application can be set to be certificate based by properly configuring the deployment descriptor in the Web application's Web module. In particular, the auth-method element in the login-config descriptor must be set to CLIENT-CERT , as shown in Listing 4.7. Listing 4.7. Sample Login Configuration for Certificate-Based Authentication<login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> After the SSL handshake, the client's digital certificate can be made accessible to the WAS designated to handle the client's request. The WAS can then use the contents of the client's digital certificate to derive the identity of the requester. In particular, the WAS uses the client's digital certificate to represent a unique user, a group of users, or an organization. For example, the subject's name obtained from the client's digital certificate may be mapped to the short name of a user in an LDAP directory. Each certificate contains a field called the subject's Distinguished Name (DN). A subject's DN is a string representing the name of the entity whose public key the certificate identifies. The DN uniquely identifies the name of that subject across the Internet. According to the X.509 standard, a subject's DN contains the following attributes:
Let us consider the example of a subject whose DN is CN=Bob Smith, OU=Travel Division, O=Fabrikam456, L=Raleigh, ST=North Carolina, C=United States Because a subject's DN is unique, a direct match against the DN is the preferred way to obtain the corresponding user ID in the registry. If this option is not available, imperfect mappings can be used. For example, in the subject's DN, the CN attribute, Bob Smith , can be mapped to a user entry in an LDAP directory where the user's short name is bob . In this example, the policy to map the certificate is as simple as using the CN in the subject's DN to map directly to a user ID in the registry. Other attributes in the client certificate may be used to establish the user's identity. How a certificate-based authentication can be used to deduce the identity of the requester and details of mapping rules are outside the scope of the J2EE specification and depend on the J2EE product implementation. Note that a J2EE WAS gets to handle a request after the SSL handshake is established at the transport layer, as shown in Figure 4.6. In many enterprise topologies, an SSL connection is established with a reverse proxy server that sits in a DMZ (see Section 6.2.2 on page 193). A reverse proxy server can accomplish several tasks , including content caching, load balancing, user authentication, and access-control enforcement. The machines that host the WASs are often different from the machine hosting the reverse proxy server. Therefore, it is common that the WAS designated to handle the client's request does not directly participate in the SSL handshake. Because the client's identity is derived from the client's digital certificate and is the basis for identifying the principal accessing the Web resource, the trust relationship between the WASs and the reverse proxy server acting as the server-side SSL end point must be properly designed. This may be achieved by establishing a mutual-authentication SSL connection between each WAS and the reverse proxy server. 4.5.2 Single Sign-OnAs we discuss in Section 4.10.2 on page 149, the stateless nature of HTTP implies that every request a client submits is treated by a server as a new request. Therefore, if user authentication is required, a user will be asked to authenticate on every request. For example, if the authentication method is based on user ID and password, as in HTTP and form-based authentication, the user will be prompted to type and submit a user ID and password pair on every request. This scenario is annoying for the user and is considered user unfriendly. WASs offer a mechanism providing single sign-on (SSO), which means that users are prompted for their credentials only once. SSO can be achieved at various levels: browser, J2EE Web application, J2EE Web container, and others.
An e-business scenario may involve multiple organizations participating in the same transaction. For example, a user contacting a real estate agency on the Internet may be temporarily redirected to an associated home mortgage organization. After having been preapproved for a mortgage, the user is then readmitted to the real estate agency's Web site. The real estate agency's WAS can now personalize the response sent back to the client by showing the user only those houses that the user can afford, based on the mortgage amount calculated by the home mortgage organization. A scenario like this involves multiple HTTP servers, each belonging to a different Domain Name Service (DNS) system. In such scenarios, if various organizations require client authentication, none of the previous solutions would achieve SSO, for the following reasons.
In such cases, sophisticated enterprise SSO solutions are typically deployed. These solutions are outside the scope of the J2EE specification and depend on the implementation of the J2EE product and other external security products that can work with the J2EE product. |
< Day Day Up > |