WebApp Sec mailing list archives
RE: Authentication/Access-control libraries
From: "Sasha Romanosky" <sasha_romanosky () yahoo com>
Date: Thu, 25 Sep 2003 17:19:48 -0700
-n, I'm with Simon, if you have the budget for commercial software, Netegrity, Oblix and Tivoli are definitely vendors you should look to. They will provide full identity management solutions for your enterprise, should you require it. I am not aware of specific opensource libraries, per se, that offer turn-key solutions for authentication and authorization. Mostly what I have seen are people adopting best practices in terms of design and mechanisms. Authentication: First, I would claim that authentication is much easier to solve than authorization. If you require simple authN and you're using a J2EE application server, either opensource (Tomcat) or commercial (weblogic, websphere), take a look at their Realms: JNDIRealm, JDBCRealm or JAASRealm. These are very quick and easy to configure and use. Be aware, though, when you're using these, of how they are implemented: - How does it initiate communication with the service? Re LDAP, does it bind anonymously or perform proper user binds? - How does it communicate with the user store? Can it talk SSL/TLS (or even SASL). Is a vpn or stunnel necessary? - Does it require passwords to be stored cleartext, or can it support encrypted or hashed passwords? While the Realms are easy to use, they can be less flexible in terms of the above issues. I have had mixed results with JAAS. On the one hand it has so much potential. Authentication based on stackable, pluggable authentication modules (PAM) - what could be better? However, in practice, I found it to be clunky and disappointing. Using JAAS to talk to an LDAP directory service failed in the three issues I mentioned above. You may have better results if you're using NTML or Kerberos. Coding to JNDI with SSL/TLS is a much better approach, I feel. You have more control over flow and error handling. Personally, I don't think you can ever go wrong building an infrastructure where users authenticate against an LDAP directory service. It's ubiquitous, convenient, secure (if done properly), scalable, and can perform very well. The major issues, however, are interoperability amongst disparate applications and how they perform authentication against it (regarding the issues I mentioned above). Your security policies and business rules could provide guidance here, in terms of what is acceptable and what is possible to do). I created something once upon a time to help me understand web based authentication options. You might find it useful: http://www.romanosky.net/papers/auth_options.gif Authorization: This is definitely a much more difficult problem to solve well. Unless you have the funds to purchase an enterprise IM product, I think you're stuck writing your own. At least this way, you can write what you need. The authorization of JAAS seemed to provide nothing more than static groups and wasn't all that useful. I don't know of any opensource libraries to allow any form of decent RBAC aside from the NIST code. I can't talk to their latest release, but as of a couple of years ago, there was an implementation in perl that was not quite complete. However, NIST is definitely the place to look for proper RBAC designs. Be careful when you hear vendors who claim they support RBAC. There is assigning users to roles and granting or denying those roles access to resources, and then there is full RBAC which fully abstractes users from privileges, implements inheritance, and static, dynamic, and operational separation of duties. This is a huge difference and it is worth understanding - if only to protect yourself from vendor speak. If you do roll your own, you'll encounter the issue of where to store your privileges. And I'll bet you'll hear three voices: in the application, in the directory or in the database. I'm not sure it really matters, honestly. Though storing privileges in the application would not be my first choice. I wish I could offer advice, but I can't at this time. Perhaps some one else on the list can provide guidance (beyond the standard relational database vs. optimized directory talk). <disclaimer> I represent no vendor. Just an enthusiast who enjoys exploring this field. Ideas and opinions are mine. Your mileage may vary. Batteries not included. Wash colors separately. Cheers, Sasha
-----Original Message----- From: cunningham.simon () btopenworld com [mailto:cunningham.simon () btopenworld com] Sent: Wednesday, September 03, 2003 12:42 AM To: n30_lists () hotmail com Cc: security-basics () securityfocus com; secprog () securityfocus com; webappsec () securityfocus com Subject: Re: Authentication/Access-control libraries JAAS has been suggested, this offers useful functionality in the Java space but is unlikely to solve all your problems in the web tier, particularly as you mention ASP. On the commercial front you should be looking at Netegrity SiteMinder,
IBM Tivoli Access Manager and Oblix NetPoint. There are others but these are the market leaders (according to Gartner). All offer agents of some form that perform authentication and authorisation before access is granted to a URL thus saving you from having to put authentication and authorisation code in every page. They also offer mechanisms to do more granular authorisation inside your application should you want to. There's much more to these products (flexible authentication schemes, policy based authorisation, SSO support, complementary identity management products, etc., etc.) but I'll spare you the sales pitch. Hope that helps. Simonfrom: n30 <n30_lists () hotmail com> date: Tue, 02 Sep 2003 17:05:31 to: security-basics () securityfocus com,secprog () securityfocus com, webappsec () securityfocus comsubject: Re: Authentication/Access-control libraries Gurus, Say I am a programmer designing an ecommerce site & wantingto writesecure code. I have heard there are commercial & opensource secure libraries available out there that i can reuse for performing authentication and access control. Any links/pointers to them?? I am specifically looking for asp & java. But any languageshould befine. I will get an insight into things. Thanks in advance -n
Current thread:
- Authentication/Access-control libraries n30 (Sep 02)
- Re: Authentication/Access-control libraries George Capehart (Sep 03)
- <Possible follow-ups>
- RE: Authentication/Access-control libraries Lapinski, Michael (Research) (Sep 02)
- Re: Authentication/Access-control libraries jdk (Sep 02)
- Re: Authentication/Access-control libraries cunningham . simon (Sep 03)
- RE: Authentication/Access-control libraries TUER, DON (Sep 03)
- RE: Authentication/Access-control libraries Sasha Romanosky (Sep 25)