Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service

Similar presentations


Presentation on theme: "The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service"— Presentation transcript:

1 The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service jon.warbrick@ucs.cam.ac.uk

2 What is it? ● Some software – grandly entitled 'The University of Cambridge Web Authentication System' (ucam-webauth) ● A centrally-managed authentication server – the real 'Raven' ● What does it give you? – an authenticated identity for a web browser user ● Why authentication, why ANOTHER system?

3 Why do we need authentication? ● Much of the time we don't and shouldn't – the web succeeded because it was free ● But sometimes we do – to control access – so we know who we are talking to – to provide customisation, user privacy, etc. ● AAA - Access control, Authentication, Authorization

4 IP address-based and DNS name-based ● Only does access control ● Too lax – just who has access to a.cam.ac.uk host? – open proxies ● Too restrictive – working at home, in another department, etc. ● But in practice it's all we've got... –... at the moment

5 Public/private keys and PKI ● Client keys/certificates supported in https: ● But https: can be overkill ● Transporting keys is tricky: – Please memorise your new 1024-bit private key: – MIICXQIBAAKBgQDf+LNk7CvEBGM5EgJBhhN7sh0yDZdOqVBlmfL5xHJvn3feRGSy MLvIWiBxZNkYUUOKDPdr/kj3i+FQ+W4udpUscIj6g6OZHhaH1JgdFrfUHu1Jgb8c uTWzTM2yaWj0zcPS8ca4sHGYVzXrUQR7HHMgJjcaLd9QL0rhsnXHcZF9FwIDAQAB AoGAcI7kWUv3ksNBumS6jYN8NyYEVitOZ1Hf/a+o1K1NdZuG+kUU9hhXxxDETTiJ ghcVAkQR9EwPD5lU2wT/wooF3SZ8fvCQz8aynUepdtfvDxh5576sAFNIifFenT6J O8n7k7E+k/nCczioniPWnxuI4XA0oJs7j8QJnaarHUGvvEECQQD9s+CSyWGkvTod Hu/q6+vbDQflvxL0sVWGr+6xkI3XdBj/oKIOapgHjZx/Xl9eJB6lpnYlH5LKW2EW EPWIwOolAkEA4f/m6bQY0o9ut5uDGDnJ/Ivf6xDFzySw5TPZgPN+wKdrf3gQmUWk ImwAX7ImDHhxK9O6W7p+SJH3/yGyKOJ/iwJBAJfNf7yU/vYBu7oc/tWEYNXrUCRq Vj9PtKsorhxVMGoQr7yVMyKJKXqrg066+zlrR2M63UqNP9oRH2CCuUgglnkCQEc7 ENy4FtrGum7EZR1NmYwvyfOc5bvUJK0ZGoS6Okkee5NBlHm6qXDv+W4wCC4GCCV4 JlSjAwp8d13CkRSxzuECQQDsuG/4/a2w3rBfxcE43wbSTC6PPWJa7WUcx8jQy6s8 lHl+ticOSiYv4YqO0djPgBN8EzV7Axy15VFUO7RLutKs

6 So that leaves us with passwords ● Passwords are well known but little understood ● Users accumulate user-name/password pairs – which they can't remember – so they use the same ones in lots of different places ● Administrators have to create, issue, re-issue and revoke accounts

7 Passwords (cont) ● HTTP 'Basic authentication' ● Form-based authentication – send unencrypted passwords in clear – this can be resolved with https: – but we've already said https: can be overkill ● HTTP 'Digest authentication' resolves many problems, but has others of it's own

8 A central password server? ● Web server asks user for user- name/password ● Web server sends user-name/password for validation to central server ● If validation succeeds, the web server gives the user the resource they want ●... and can now impersonate the user on every other web server in the system

9 ... and so to Raven ● It's a... –... centrally managed... –... password based... –... authentication service for web applications... –... that doesn't give away users' passwords ● Relies on features of HTTP and common browsers, hence limited to web contexts

10 How does it work?

11 Start with a web browser Browser [br]

12 User requests a URL Browser [br] Web Server [ws] 1 br  ws : URL

13 Web server redirects to auth service Browser [br] Web Server [ws] 12 ws  br : redirect(authURL+request(URL))

14 Browser contacts auth service Browser [br] Web Server [ws] Auth Server [as] 123 br  as : authURL+request(URL)

15 Auth service and user interact Browser [br] Web Server [ws] Auth Server [as] 12354

16 Auth service redirects to URL+response Browser [br] Web Server [ws] Auth Server [as] 123564 * as  br : set_cookie(id), redirect(URL+response(id))

17 Browser requests URL+response Browser [br] Web Server [ws] Auth Server [as] 1235674 * br  ws : URL+response(id)

18 Web server redirects to original URL Browser [br] Web Server [ws] Auth Server [as] 12356784 * * ws  br : set_cookie(id), redirect(URL)

19 Browser requests URL (again) Browser [br] Web Server [ws] Auth Server [as] 123567894 * * br  ws : URL, cookie(id)

20 and then... ● Subsequent requests to WS authenticated by the local cookie, until it expires ● Subsequent visits to AS can be partially or completely satisfied by the AS cookie until it expires ● The best way to logout is to quit the browser

21 So what does all this look like?

22 Request http://mnementh.csi.cam.ac.uk/raven-test/new-open/document1.html

23 Enter user-id and password and click 'Submit' to get:

24 Request http: //mnementh.csi.cam.ac.uk/raven-test/new-open/document2.html

25 Request http://raven.cam.ac.uk/project/testfiles/document1.html

26 Enter user-id and password and click 'Submit' to get:

27 Timeout: return to our first document later:

28 Click 'Continue' to get:

29 Request http://mnementh.csi.cam.ac.uk/raven-test/private/document1.html

30 Click 'Continue' and get:

31 Click 'Cancel' anywhere and get:

32 Choose 'override login options':

33 ... and get

34 Account management:

35

36

37 What doesn't it do? ● Authorization ● People without CRSids ● POST requests (properly, yet) ● Central logout ● Anything that isn't web-based ● Security

38 How do you use it? ● Protocol specification http://raven.cam.ac.uk/project/waa2wls-protocol.txt ● Pseudo-code Application Agent http://raven.cam.ac.uk/project/algorithm.txt ●... but that's the hard way

39 Apache ● mod_ucam_webauth (for Apache 1.3 and 2) ● LoadModule ucam_webauth_module \ modules/mod_ucam_webauth.so AACookieKey afef845ce49666ab04b36976a Order allow,deny Allow from.cam.ac.uk AuthType WebAuth Require valid-user Satisfy any AADescription 'Cam-only area'

40 Apache (cont) ● Also supports – Require user jw35, rjd4 – Require group cs-staff – Satisfy any ● Sets REMOTE_USER environment variable (just like basic auth) and others ● Should be able to use group files, DBM files, databases,...

41 Perl CGI script ● #!/usr/bin/perl -w use Ucam::WebAuth::CGIAA; my $aa = Ucam::WebAuth::CGIAA->new (cookie_key=>'eb78ba43b0222f28498'); my ($complete, $headers) = $aa->authenticate; print $headers if $headers; exit unless $complete; my $userid = $aa->principal if $aa->success;

42 ... and more ● A beta release of a PHP module – needs work – any volunteers? ● A JAAS implementation for Java servlet containers (e.g. Tomcat) by CARET ● A Ruby implementation by Thomas Counsell of Clare College ● Anyone for IIS ?

43 The project plan ● Now – Available on request for testing and pilot deployments ● Late June (perhaps July...) – Passwords available to everyone – Available to all cam.ac.uk web servers ● 1 September 2004 – Supported service

44 Where do you go from here? ● Pilots ● Deployment from June ● Consider expanding 'ucam-only’ access ● http://www.cam.ac.uk/cs/raven/ ● cs-raven-devel-request@lists.cam.ac.uk

45 If you have been, thanks for listening I expect you have some questions


Download ppt "The Raven Web Authentication Service Jon Warbrick University of Cambridge Computing Service"

Similar presentations


Ads by Google