Web App Authentication Methods

Posted on Updated on


Authentication Methods for Web Apps

1.    Authentication Methods

A user authentication mechanism specifies the way a user gains access to web content.  By specifying the authenticated mechanism, the user must be authenticated before access is granted to any resource that is protected by the security constraint.

I would broadly classify these authentication methods into two:

  • Credential Based authentication
  • Certificate Based Authentication

2. Credential Based Authentication:

The credential based authentication is considered to be the primitive method of authentication, where the user names, passwords (off-late we want to call it passphrase), and roles configured on the web server.  The web app must identify itself by sending username and password to the server, so that the server authenticates and authorizes the user based on the configuration to allow the web resource.

Following are the server based authentication mechanisms:

  • Basic Authentication
  • Form based authentication
  • Digest authentication

The HTTP basic authentication and form-based authentication are not secure authentication mechanisms.  In these authentication mechanisms the target server is not authenticated.  Basic authentication sends user name and passwords over the internet as base64-encoded text.  Form based authentication sends the same as plain text.  So, this data must be sent over a secure transport mechanism (SSL) to secure the user name & passwords being snooped over the network.

2.1 Basic Authentication

Http basic authentication requires that the server request a user name and password from the web client and verify the user name and password are valid by comparing them against a data base of authorized users.

BasicAuthentication

Following are the sequence of actions for Basic Authentication:

  1. Client requests access to a protected content
  2. The Server returns a dialog box that requests the user name and password
  3. The client submits the user name and password to the server
  4. Server authenticates the user by verifying the credentials in its data base

2.2 Form Based Authentication

Form based authentication allows the developer to control the look and feel of the login authentication screens by customizing the login screen and error pages that an HTTP browser presents to the end user.

FormBasedAuthentication

Following are the actions for form based authentication:

  1. Client requests access to a protected resource
  2. If the client is unauthenticated, the server redirects the client to a login page
  3. Client submits the login form to the server
  4. The server attempts to authenticate the user:
    1. If authentication succeeds, the authenticated user’s principal is checked to ensure that it is in a role that is authorized to access the resource.
    2. If the user is authorized, the server redirects the client to the resource requested by the client
    3. If authentication fails, the client is forwarded or redirected to an error page.

2.3 Digest Authentication

Like basic authentication, digest authentication authenticates a user based on a user name and a password.  But digest basic authentication does not send user name and password over the network in plain text.  The client sends a one-way cryptographic hash of the password and additional data.  Although pain text passwords are not sent on the wire, digest authentication requires that clear-text password equivalents be available to the authenticating container so that it can validate received authenticators by calculating the expected digest.

3. Certificate Based Authentication

In certificate based authentication, a certificate which is issued by a Certification Authrority is used to authenticate the user.  The certificate is kind of a digital passport, which is issued by authority, where authority has certified the user.

Following are the methods of Certificate Based Authentication:

  • Client Authentication
  • Mutual authentication

3.1 Client Authentication

Client authentication is a certificate based secure authentication methodology.  The client must have a public key certificate.  The public key certificate is a kind of a digital equivalent of a passport.  The certificate is issued by a trusted organization, called as Certificate Authority, who provides identification for the bearer

The web server authenticates the client by using the client’s public key certificate.  Client authentication is a more secure method of authentication than basic authentication methods.

It uses HTTP over SSL (HTTPS), in which the server authenticates the client using the client’s public key certificate.  The SSL technology provides data encryption, server authentication, message integrity and client authentication for TCP/IP connection.

Certificate Based Mutual Authentication

In Mutual authentication methods, both client & server authenticate each other.  Following are flow of events in Mutual Authentication based on certificates:

CertificateBasedMutualAuthentication

  1. Client requests access to a protected resource
  2. Webserver presents its certificate to the client
  3. Client verifies the server’s certificate
  4. If successful, the client sends its certificate to the server
  5. The server verifies the client’s credentials
  6. If successful, the server grants access to the protected resource

3.2 Mutual Authentication Based On User Name and Password

Following are the sequence of events in Mutual Authentication based on User Name and Password:

UserNameBasedMutualAuthentication

  1. Client sends the request to access the protected content
  2. Webserver presents its certificate to the client
  3. Client verifies the server’s certificate
  4. If successful, the client sends its username and password to the server
  5. The server verifies the client’s credentials
  6. If successful, server grants access to client on the protected content.

Summary

In this write up I have summarized the authentication methods.  Though I started studying the authentication methods for Web Apps, I don’t see any difference for authenticating Web App and Web Pages.  The manual from Java EE came as a very good reference for the above study.

Advertisements

One thought on “Web App Authentication Methods

    Sathiya Narayanan said:
    February 6, 2014 at 5:27 pm

    Excellent – Crisp and precise and not too detailed. Its a good start to understand the Web App Authentication menthods

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s