Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Access Control System

Published byBrooke Curran Modified over 10 years ago

Similar presentations

Presentation on theme: "Distributed Access Control System"— Presentation transcript:

1 Distributed Access Control System
Brian McLeod Canada Centre for Remote Sensing Salutations …..

2 GeoInnovations (technology development program)
The M3GO project is a small project funded by GeoConnections program. It is rather a “proof of concept” Of Ontology/Semantic work that is needed while developing an NSDI such as the Canadian Geospatial Data Infrastructure (CGDI), helping in data discovery through Portal such GeoConnections Discovery Portal. GeoInnovations (technology development program)

3 WHAT IS DACS? An authentication and access control framework that facilitates secure sharing of http-based web services Web service: any static or computational resource available through a web server using HTTP (HTTPS): E.g., a web page, document, CGI/ASP program, servlet, database query, file upload/download, generated image, gazetteer request, DACS operation

4 WHAT IS DACS? “Single Sign-On”
User doesn’t need an account on every system, is authenticated just once Implemented by a customized web server and a set of CGI programs Designed and implemented by DSS as a component of NFIS with participation of the National Forest Information System (NFIS) Project Office and the PFC/IRMS group, with support from GeoConnections

5 FEDERATIONS/JURISDICTIONS
Deployed as a federation of jurisdictions Jurisdiction: An administrative entity providing authentication services for its users, web services, or both All interaction is through a web server that provides DACS services for the jurisdiction An organization, department, lab, or workstation can be a jurisdiction The set of jurisdictions and their users is open (not static) Federation: a set of cooperating jurisdictions (NFIS has 7 jurisdictions in the federation)

6 Two Federations: “alpha.org” and “beta.org”
ant.alpha.org bat.beta.org/arrow.alpha.org Authentication Authentication Authentication Authentication Web server/ DACS Web server/ DACS SSL/ TCP/IP Services Services Services boron.beta.org air.alpha.org Authentication Web server/ DACS Web server/ DACS Services Services

7 AUTHENTICATION A jurisdiction authenticates its users using its existing mechanisms (e.g., login name and password) If successful, DACS creates encrypted credentials that identify the user and accompany subsequent service requests User presents credentials when making a service request; only DACS can decrypt them

8 AUTHENTICATION Authentication is a DACS service; any authentication method that can be encapsulated by a service request can be supported DACS defines the service protocol by which it requests a jurisdiction to authenticate its users Goal is to minimize jurisdictions’ implementation effort (common methods have already been implemented)

9 User’s Jurisdiction SSL/ User TCP/IP USER AUTHENTICATION
Authentication info Web server/ DACS SSL/ TCP/IP DACS Config DACS Authentication Service User Credentials HTTP/XML HTTP/XML Local Authentication Service Local Roles Service

10 AUTHENTICATION DACS does not manage user accounts on behalf of jurisdictions Jurisdictions are isolated from implementation details; DACS provides the “glue” DACS can support “cascading” requests (server-server service requests)

11 ACCESS CONTROL A jurisdiction is totally responsible for specifying access control for its web services Access control is performed on a service request (a URL) An access control rule specifies: What services the rule applies to (URLs) How the service can be accessed (a predicate) Who the rule applies to (which users)

12 ACCESS CONTROL An access control rule can:
refer to elements of the credentials (e.g., user’s name and jurisdiction) or environment (e.g., the user’s IP address) refer to service request parameters (e.g., “SCALE must be greater than 1000”) specify additional parameters to pass to an invoked program (“constraints”) apply to any member of a defined group of users apply to a DACS service

13 SERVICE REQUEST PROCESSING
Incoming service request passed to DACS by the web server DACS validates the user’s credentials DACS looks for the most specific access control rule that applies to the service request (URL matching) DACS checks if the rule grants permission to this particular user, possibly testing the service request’s parameters If permission is granted, the service request is processed normally (DACS exports the identity of the user, etc.) If permission is denied (“403 Forbidden”), an error handler is invoked

14 GROUPS During authentication, a jurisdiction can associate the user with roles, defining role-based groups A jurisdiction can also define named groups; members are users, role-based groups, or other named groups Group definitions are distributed among the jurisdictions and can be referenced in access control rules throughout the federation

15 IMPLEMENTATION Prototype runs on Linux/Solaris/FreeBSD with Apache (i386 and Sparc architectures) Open source, standards-based, proven technologies Portable – largely platform independent (ANSI C, POSIX) Unix and NT authentication components Design and implementation can be examined for security weaknesses; specifications are available

16 WHY DACS? Special requirements: Standardization still in progress
Architectural model (independent/cooperating jurisdictions, heterogeneous, distributed, available) No client-side code, special installation, etc. Support for a wide variety of services Open set of jurisdictions and users, including “guests” Needs/requirements not yet well understood Standardization still in progress (e.g., SAML, XACML, …) Existing solutions? Probably not yet.

17 ENHANCEMENTS? Port to Microsoft/IIS/ASP Support for user certificates
Support for additional authentication components (e.g., PAM, RADIUS, LDAP) Integration with Java? Invocation by applications? Many other possibilities…

18 ADDITIONAL INFORMATION
National Foresty Information System (overview) DSS – Distributed Systems Software, Inc. Dr. Barry Brachman, DACS System Architect Pacific Forestry Centre, Integrated Resource Management Systems Rick Morrison, NFIS technical lead Tel: (250)

Download ppt "Distributed Access Control System"

Similar presentations

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
1 Understanding Web Services Presented By: Woodas Lai.

1 Understanding Web Services Presented By: Woodas Lai.
National Forest Information System Système national d'information forestière DACS A Distributed Access Control System for Secure Delivery of Web Services.

National Forest Information System Système national d'information forestière DACS A Distributed Access Control System for Secure Delivery of Web Services.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”

OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,

IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,
Apache Jakarta Tomcat 20041058 Suh, Junho. Road Map Tomcat Overview Tomcat Overview History History What is Tomcat? What is Tomcat? Servlet Container.

Apache Jakarta Tomcat Suh, Junho. Road Map Tomcat Overview Tomcat Overview History History What is Tomcat? What is Tomcat? Servlet Container.
159.339 Quick Tour of the Web Technologies: The BIG picture LECTURE A bird’s eye view of the different web technologies that we shall explore and study.

Quick Tour of the Web Technologies: The BIG picture LECTURE A bird’s eye view of the different web technologies that we shall explore and study.
JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.

JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.
TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.

TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.

Similar presentations

Ads by Google