See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/250310860

A Closer Look at Authentication and Authorization Mechanisms for Web-based

Applications

Conference Paper · January 2012

CITATIONS READS

7 8,034

2 authors:

Sharil Tumin Sylvia Encheva

Trimensity Tech Høgskulen på Vestlandet
140 PUBLICATIONS 157 CITATIONS 351 PUBLICATIONS 893 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Sylvia Encheva on 30 May 2014.

The user has requested enhancement of the downloaded file.

 Recent Researches in Applied Information Science

A Closer Look at Authentication and Authorization Mechanisms

for Web-based Applications
SHARIL TUMIN
University of Bergen
IT Dept
P.O. Box 7800, 5020 Bergen
NORWAY
SYLVIA ENCHEVA
Stord/Haugesund University College
Faculty of Technology, Business and Maritime Sciences
Bjørnsonsg. 45, 5528 Haugesund
NORWAY

[email protected] [email protected]

Abstract: Authentication is a process by which you provide proofs that you are who you claim to be. Authoriza-
tion is granting you valid permissions. Everyone is familiar with authentication i.e. login process but not so with
authorization. Web-based applications introduced the needs for more understanding of these two processes to both
users and implementors. Security data are managed into two related categorizations; authoritative and operational.
To provide flexible and efficient administration, accounts, groups and resources data are managed distributively
following organizational structures and are based on delegation of rights and responsibilities. To optimize opera-
tion, security data are duplicated into directory server to be used by Web-based applications.

Key–Words: Authentication, authorization, access control, security management, security implementations

1 Introduction can be described by a triplet [I, , ’] where I is the

We the users need to authenticate ourself every time
we initiate interaction with a computer system and are
then given permissions dependent on our authoriza-
tion data, either automatically or by providing some
extra authorization credentials depending on the op-
erational security policies governing the protected re-
sources of the organizations and enterprises we belong
to.
Basically, an authentication process is a way by
which you provide proofs to a system, that you are in
fact, who you claimed to be, by presenting a valid cre-
dential. At its simplest form this credential is a pair of
user identification and password. A user identification
(U) is a unique string of characters or digits directly
related to a user entity whether it is a human, a thing or
a program. A password (P) is a secret phrase known
only to the user and not directly known to the system,
but directly related to the user identification. Thus, to
be authenticated I, a user needs to provide a valid pair
of [U,P].
Authentication is not authorization, but to be au-
thorized you need to be authenticated first, since per-
missions mandate three attributes conditions of 1)
who, 2) what and 3) which, within a user’s work ses-
sion in relation to I with a system. A permission (Q)
validated identity,  is a non empty set of allowable
operations, and ’ is a non empty set of resources.
Permissions are real time attributes for control-
ling users’ access and operations to protected re-
sources. Authorization data is much more involved
than the authentication data. To provide real time
user’s permissions, authorization processes need to be
assisted by groups and groups memberships coupled
with resource owners and resource groups. Manage-
ment of authorization data is necessarily delegated to
different managers closely related to organizational
structure and resource ownership.
Authentication and authorization are explicitly
defined in any operating system for example, Linux,
Windows, and MacOS. Different DBMS (database
management system) manage authentication and au-
thorization differently, some are more involved and
complicated than others. Whatever methods being
used, the bottom line is; authentication - identifies
valid users and authorization - provides correct per-
missions of access and operations on protected re-
sources, in another word, Scontrolling Q = [I, , ’]
at any one time, where i=1...n = ‘U represents all
permissions granted to a particular user U.
More and more enterprise critical applications

ISBN: 978-1-61804-089-3 100

 Recent Researches in Applied Information Science
provided to users are Web-based. Users interact with
the underlying services provided by computer systems
using Web browsers. The works concerning authenti-
cation and authorization are becoming more impor-
tant than ever before, to both users and developers of
Web-based applications. The general security of the
underlying and supporting systems for a Web-based
application are very much dependent om how the au-
thentication and authorization are implemented on the
application level.
In this paper we concentrate on the problems and
solutions to authentication and authorization mecha-
nisms and processes for Web-based applications in re-
lations to users, groups, resources authoritative data
management and operational data deployment. In par-
ticular we will be presenting a distributive, delegated
management model coupled with LDAP (Lightweight
Directory Access Protocol) directory services to be
used as a centralized authentication and authorization
server for all Web-based applications throughout the
enterprise.
2 Background
Any centralized security implementation must neces-
sarily reflect the underlining organizational structure
of an enterprise. A typical structure would be hierar-
chical and implemented using a treelike structure. In a
hierarchical organization, every entity in the organiza-
tion, except the top most one, is subordinate to a single
other entity. In an educational organization, a univer-
sity is divided into faculties. Under each faculty are
departments and each department is subdivided into
units. A hierarchical organization naturally supports
distributive management model through delegation of
rights and responsibilities at each level of the hierar-
chy.
Persistence data are stored in two commonly used
data storage structures; 1) relational database, and 2)
data directory. These structures are optimized for data
searching and selecting for different information stor-
age and retrieval operations.
As to the relational database type, data are stored
in a collection of relations implemented as data tables.
Each data tables are organized as columns of attributes
and rows of entry to represent a particular objects.
Applications can access data by submitting queries to
insert, select, modify and delete rows of data entries
using SQL (Structured Query Language). It is neces-
sary for each data row in a data table to be uniquely
ISBN: 978-1-61804-089-3
identifiable. The identification is done by some com-
bination (one or more) of its attribute values. Different
data tables in the same database can be joined together
under SQL operations [1].
A data directory store data in a DIT (Directory
Information Tree) where data are represented in a hi-
erarchical treelike structure uniquely addressable by
DNs (Distinguished Names). Each object identified
by a DN holds attributes. Each attribute has a name,
type and description, and one or more values. The at-
tributes’ names and values are defined by a schema
[2]. There are three levels of search scope in a DIT; 1)
scope base - the object entry only, 2) scope onelevel -
its immediate decendents only (excluding the object),
and 3) scope subtree - the object and its DIT subtree.
Data retrievals can specify a set of attributes to be re-
trieved, where an empty set means all attributes.
2.1 Central Identity Management
An IdM (Identity Management) system manages
users’ accounts and groups related data to be used to
identify and authorize users across computer networks
within an organizational domain and inter-domain
collaborations [3]. It behooves the organization to
have a central IdM to cater for enterprise wide au-
thentication/authorization mechanisms to all organi-
zational’s Web-based applications.
In order to be flexible and responsive, the IdM
should be deployed with two main conceptual parts;
1) authoritative, and 2) operational, as shown in Fig-
ure 1. The authoritative part implements the admin-
istrative functions of the system while the operational
supports the LDAP-based authentication and autho-
rization mechanisms for the Web-based applications.
Given that the organization structure is hierarchi-
cal, management rights and responsibilities can be
delegated and distributed at each level of the hierar-
chy. Let assume that we have a simple hierarchical
structure with maximum depth of three and M000000 is
the master manager group i.e. members of this group
have all managerial rights. Lower manager groups are
labeled with subscripts in relation to their position in
the organizational tree.
The first two digits signify faculties, the middle
two digits signify departments and the last two digits
signify units. For examples; 1) M110000 is the man-
ager group for the whole faculty, 2) M112600 is the
manager group for a department under a faculty, and
3) M112614 is the manager group for a unit under a
department.
101
 Recent Researches in Applied Information Science
Figure 1: A Typical IdM Architecture
In fact, the subscripts scheme discussed here can
be used to label any type of groups, for example; 1)
U112600 – users belonging to a department, 2) R112614
– resources belonging to a work unit. It is natural to
label groups that reflect the organizational structure.
Authoritative data are stored in a relational database
containing data tables that map these relations. Op-
erational data stored in a data directory DIT will nat-
urally follow the organizational tree for data objects
that implement organizational security policies.
2.2 Accounts, Groups, Resources and Con-
trols
Web-based applications provide services to users.
Users are those registered to the IdM by having users’
accounts. A person having an account will at it sim-
plest form know a pair of security credential namely,
user-identifier (U) and user password (P). An ac-
count is basically an identity of a person or a process
coupled with credential data which provide proof of
authenticity. Providing a valid credential will validate
a person thereby granting access to protected applica-
tions and permits operations on resources depending
on user’s roles.
The password is only known to the person owning
ISBN: 978-1-61804-089-3
the account. Users’ passwords must never be stored
in clear text by the system. Passwords are normally
stored by the system in cryptographic hash [4] values
as exemplified in Table 1.
Table 1: Cryptographic Hashes Values
Functions Values (Password = 123abc#!)
Crypt SA7QICgO9uVOQ
MD5 cyV9tkiFa6dKZ6h+NRgbvA==
SHA1 iXr77gK7q4bdCRX4zfXqsWeb/rU=
Values (Password = 123abc#!Z)
Crypt SA7QICgO9uVOQ
MD5 UMIjRuU9uCzfKRCy/aAotQ==
SHA1 VIdFcOQS0VErsMXi/RxX5Y2yMPA=
There are three basic mechanism of access control [5]:
DAC − Discretionary Access Control
MAC − Mandatory Access Control
RBAC − Role Based Access Control
A DAC is a credential based access control. A user is
identified by a validation process of user-identification
and user password. Group members can also be vali-
dated using group’s password. A user is the owner to
resources for example all files under the user’s home
directory and sub-directories. The user, at her own
discretion can change permissions of users including
her own self for all resources owned by her. The user
can transfer ownership of a resource or group of re-
sources to another user. In an operating system, a spe-
cial super user practically owns all system resources.
This super user is called root user in a Unix system.
A person authenticated as root has all the permissions
on all resources.
A MAC is often used to control highly sensitive
resources. It is centrally managed, enforcing organi-
zational security policies in which all resources be-
long to the organization with no possibility of individ-
ual ownership. Each protected resource is assigned
a security tag depending on what security level the
resource was assigned to. A resource with a high
security level can be downgraded after a period of
time. Users with a specific security level can access
resources labeled with the same or lower level. The
management of security levels for both resources and
users will follow strict procedural protocols and cen-
trally defined policies.
A RBAC is an access control based on an indi-
vidual roles of a particular user. Roles are defined
102
 Recent Researches in Applied Information Science
in relation to persons’ work responsibilities and or-
ganizational security policies. Access control based
on groups and roles could be applied successfully
within organizations with clear hierarchy of authori-
ties and separation of duties, for example; 1) hospitals,
2) banks, and 3) universities. Conceptually, RBAC
is defined by named sets containing users, resources
and operations as shown in Figure 2. Groups and Re-
sources pools are managed centrally and could be del-
egated by strict sign-in and sign-offs and procedures
in relation to the organizational hierarchical structure.
Figure 2: RBAC: Memberships, Permissions and Au-
thorizations
2.3 LDAP
LDAP (Lightweight Directory Access Protocol) is an
application protocol for accessing information stored
in a simpler version of X.500 directory server imple-
mentation. LDAP only supports a subset of the com-
prehensive X.500 directory services specifications.
While X.500 supports a multi-servers distributive di-
rectory configuration, LDAP is only supporting a sin-
gle client-server operation.
A directory server implementing LDAP supports
these data model and core services:
i. Hierarchical Names − Data components
are defined in a hierarchical directory with hi-
erarchical names in contras to a flat directory
like phone-books. A data component such as
uid=edpst,ou=people,dc=uib,dc=no represent a user
with user-identifier edpst defined under an organiza-
tional components people belong to organization uib
within a country no.
ii. Typed Name Components − Named (i.e. address-
able) data components are typed, for example; UID
(User Identification), CN (Common Name), O (Orga-
nization), OU (Oragnizational Unit), C (Country), DC
(Domain Component). This in contrast to a typeless
ISBN: 978-1-61804-089-3
name schemes such as the domain name for example
siam.uib.no. Some components type are leaf (external)
nodes, e.g. uid=edpst,ou=people,dc=uib,dc=no while
others are internal nodes, e.g. ou=people,dc=uib,dc=no.
The name components are case insensitive i.e.
UID=STU001,OU=People,Dc=uib,dc=NO is treated as
equal to uid=stu001,ou=people,dc=uib,dc=no.
iii. Typed Objects − Data components are specific
collections of data objects. Data objects have types
defined by object classes, for example People, Orga-
nizations, and Computers.
iv. Typed Attributes − Data objects are set of data
attributes with specific names and values, for exam-
ple, set of names, telephone number, and given name.
The attributes values are usually encoded as UTF-8
(8-bit Unicode Transformation Format) strings. Some
attributes can contain value with binary data such
as JPEG (Joint Photographic Experts Group) com-
pressed digital pictures format.
v. Directory Operations − These operations are; 1)
read, 2) compare, 3) search, 4) add, 5) delete, and 6)
modify.
vi. Security Models − Individual data component
can be protected using internal ACL (Access Control
List). Permissions are given to a specific user after
a successful authentication process call LDAP bind.
Public access are given all with anonymous bind i.e.
binding without user identification and password.
3 Implimentation
Web browsers, i.e. application clients communicate to
Web-based applications servers using HTTP (Hyper-
text Transfer Protocol). Massages, controls and data
are send in HTML (HyperText Markup Language),
XML (Extensible Markup Language), CSS (Cascad-
ing Style Sheets), JavaScript and binary images.
Most Web-based applications provides LDAP au-
thentication as a standard configuration, however none
provide a standard authorization mechanism using
LDAP. This is not surprising since authorization is
very much dependent on applications, resources and
local security policies.
As LDAP directory services are modeled after
a client-server architectural model; firstly, a central-
ized IdM for enterprise user accounts management is
a prerequisite condition and secondly, all Web-based
applications will need to establish working connec-
tion with the directory server. There are three ways
by which a Web-based application acting as direc-
103
 Recent Researches in Applied Information Science
tory service client can get information from a central-
ize directory server; 1) directly, by using supporting
LDAP client libraries, 2) indirectly via REST (Rep-
resentational State Transfer) services from a HTTP
server, and 3) indirectly using AJAX (Asynchronous
JavaScript and XML) on a Web browser from a HTTP
server that supports AJAX, refer to Figure 1.
3.1 Authentication
There are two complimentary parts in data manage-
ment which concern users accounts, credentials, roles
and permission, namely 1) authoritative, and 2) oper-
ative as shown in Figure 1. Authentication is about
providing a correct credential during the validation
process of login or sign on to a Web-based application.
While user account creation is nothing more than reg-
istering a person with an user identification and user
password. There are many details in the process of
account creation which effect matters concerning; 1)
efficiency, and 2) security of an enterprise.
With efficiency in mind, these concerns amongst
other matters were implemented:
i.Web-based account application, registration, ap-
proval and creation.
ii. Web-based accounts management based on dis-
tributive rights and responsibility through delegation.
iii. Self-service management of editable personal
data and password change.
iv. Disallow use of special local alphabetic char-
acters in password, e.g. Å, å, Æ, æ, Ø, ø which will
eventually introduce login problems due to different
type of keyboards.
Security policies implementation is the major un-
dertaking, a few important deployments are:
i. One person one account policy. No two or more
persons sharing an account. A person only owns one
user credential.
ii. Automatic user identifiers will ensure uniqueness
and protection against trivial mapping of user name to
user identification, e.g. the system will assign “Peter
White” an identifier “pew028” instead of “peter”.
iii. Enforce a strong password policies, e.g. more
than 10 characters long, mix upper case, lower case,
digits and non-alphanumeric.
iv. Enforce password aging and password recycle
policies.
v. Implement automatic account expiration and
deletion based on publicly accessible documented
policies.
The authoritative data are stored in an Ora-
ISBN: 978-1-61804-089-3
cle RDBMS (relational database management sys-
tem) use by the Web-based applications implementing
the self-service and operators management functions.
Authentication data are synchronized to the operative
data storage, where each active account will have a
data entry component in the LDAP server.
Normally user credentials are stored in posixAc-
count ldap’s ObjectClass where user identity is stored
in the ‘required’ uid attribute and user password is
stored in the ‘may have’userPassword attribute. To
provide authentication both attributes must be used.
The content of the userPassword can be a clear text
password, but this should never be used, instead pass-
word is stored in Crypt or base64 encoded hash values
as shown in Table 1. The SHA1 hash function is better
then MD5 and take note that Crypt uses only the first
8 characters. There is no reason not to use the SHA1
for storing users passwords in LDAP server.
A login process is a mapping [U,P]valid 7→
I session , i.e. as long as I session is valid, its holder will
have the rights of U. For Web-based application the
I session is stored as one of the data in session cookies
of the Web browser, I session ∈ “.
3.2 Authorization
An authorization process is granting a set of permis-
sions ‘U , where each Qi ∈ ‘U can be fully described
by a triplet [I, i , ’i ], for examples,
Q1 :[I, {read},{http://form.uib.no}]
Q2 :[I, {read, write},{file://store.uib.no/data}]
Q3 :[I, {manage},{dit:ou=it,dc=uib, dc=no}]
remember that I for a specific session holds the ref-
erence to the validated user and consequently groups
and roles the user U is a member of. While I changes
from session to session, the U referred to by a partic-
ular I session will always identify the same enterprise
user. In another word, to be authorized, a user must
be authenticated first.
HTTP is a stateless protocol [6]. In order for a
web server to know in what state a web client (web
bowser) is currently in, the web client needs to send
state data back to the web server each time a new re-
quest is made by the web client. The state data are
stored in web cookies. A web cookie has name and
value pair and these attributes; 1) domain, 2) path, 3)
expiration time, 4) secure flag, and 5) httponly flag. A
web cookie and its attributes must not be longer than
4095 bytes [7].
All authenticated to a Web-based application
users have session data stored in cookies. There are
104
 Recent Researches in Applied Information Science
two ways to store user’s session data; 1) Cb , all data
are stored in web cookies by the web browser, and 2)
C s , only session identifier I is stored in a web cookie,
while session data are stored in a database on the web
server. C s provides the most flexible solutions.
Authorization data can be obtained from the
LDAP server; 1) all at once, ‘U and store the set in
C s , as a part of authentication process, or 2) on de-
mand, Qi depending on which Ri ∈ ’i and store it in
Cb . Permissions on Ri can be checked and operation
Oi ∈ i can be granted based on data store in Cb or C s .
Since ad hoc management of access controls data are
done, Cb provides the most up-to-date and accurate
authorization data, while C s needs user U relogin.
3.3 Distributive Management
Authentication data are stored under a flat uid branch
of a DIT, normally under the ou=people,dc=uib,dc=no,
for example uid=edpst,ou=people,dc=uib,dc=no.
To manage access controls data, three man-
agement interfaces on a Web-based application are
provided; 1) roles, 2) resources, and 3) permis-
sions. The DIT is arranged to reflect the organi-
zational tree where each organization unit is identi-
fied by a 6 digits number. Each organization unit is
placed under the ou=roles,dc=uib,dc=no, for example
ou=221000,ou=roles,dc=uib,dc=no.
A group for example zoo under 221000 will be
named as ou=zoo,ou=221000,ou=roles,dc=uib,dc=no.
Roles will be placed under each group, for example:
cn=admin,ou=zoo,ou=221000,ou=roles,dc=uib,dc=no
cn=user,ou=zoo,ou=221000,ou=roles,dc=uib,dc=no
where each role will holds a group of uid names. The
role cn=admin,ou=... is special. This admin role has
the rights to manage all DIT entries under the ou=...
i.e. members of the role can add, delete, and modify
entries in the branches below.
All resources owned by 221000 will be placed
under ou=221000,ou=res,dc=uib,dc=no, for example
cn=sebra,ou=221000,ou=res,dc=uib,dc=no in which a
groups of resources are defined. Permissions are
defined under a resource data entry for example:
cn=read:opr,cn=sebra,ou=221000,ou=res,dc=uib,dc=no.
cn=add:opr,cn=sebra,ou=221000,ou=res,dc=uib,dc=no.
where each permission will hold a group of uid
names. Members of the group have the permission to
perform operation X defined in the cn=X:opr... on the
group of resources defined in its parent.
The distribution of management responsibilities
and rights for the whole DIT are effectuated by the
ISBN: 978-1-61804-089-3
View publication stats
cn=admin,ou=... data entries at any position of the DIT.
Managers of an organizational unit will be defined as
members of cn=admin,ou=... for that unit, for example:
cn=admin,ou=221000,ou=roles,dc=uib,dc=no
cn=admin,ou=221000,ou=res,dc=uib,dc=no
Any ou=... can have another ou=... which defined an
internal node. Any ou=... can have a cn=... which
defined an external node. Any amount of distributive
model can be implemented in the DIT.
4 Conclusions
We have described in details how authentication and
authorization for Web-based applications can be mod-
elled and implemented using LDAP. Working habits
of modern people are changing. The current and most
probably the future trend is mobility. Touch screen
internet tablets and smartphone would be the future
tools of choice. These small and light devices will
have theirs programs, application and data store else-
where in the Internet clouds. In this respect, the Web
plays a major role in providing mobile users with crit-
ical business data, applications and services. The un-
derstanding of how authentication and authorization
can be managed and deployed securely and effectively
is a key factor for continuing success of the Web.
References:
[1] Momjian, Bruce: PostgreSQL: Intrduction and
Concepts. Addison-Wesley, ISBN 0-201-70331,
2001.
[2] Abrech, Henry: Directory Service Integration
and Deployment Guide. Oracle, Release 2 (9.2),
Part No. A96579-01, 2002.
[3] Buecker, Axel: Identity Management Advanced
Design IBM, Redbooks series, SG24-7242-00,
First Edition, 2006.
[4] Ferguson, Niels; Schneier, Bruce: Practi-
cal Cryptography Addison-Wesley, ISBN 978-
0471223573, 2003.
[5] Endler, David et al.: A Guide to Building Secure
Web Application OWASP, 2002.
[6] Fielding, R et al.: RFC 2616 Hypertext Transfer
Protocol HTTP/1.1 The Internet Society, 1999.
[7] Kristol, D; Montulli, L.: RFC 2109 HTTP
State Management Mechanism Network Work-
ing Group, 2010.
105