How much does the Web security authentication mechanism know?

Source: Internet
Author: User
Tags base64 response code ticket

Today , Web services are ubiquitous, and thousands of Web applications are deployed on the public network for user access, some of which are only open to designated users and belong to a higher security-level Web Applications, they need to have a certification mechanism to protect the security of system resources, this article will explore five common authentication mechanisms and advantages and disadvantages.

Basic mode

There are two authentication methods in the HTTP protocol specification, one is Basic Authentication, the other is Digest authentication, both of which belong to the stateless authentication mode, The so-called stateless as the server will not record the relevant information in the session, the client every time access to the user name and password placement message sent to the server side, but this does not mean that every time you access in the browser to enter your own user name and password, It may be that the first time you enter an account, the browser remains in memory for later interaction. First, look at the Basic authentication Mode of the HTTP protocol .

Since it isHTTPprotocol specification, which is actually bound browser vendors andWebThe behavior constraints of the container vendors when implementing their respective software, such as a typical authentication interaction process: The browserWebContainer SendhttpRequest messages,Webthe container receiveshttprequest a message to parse the resource that needs to be accessed, if the resource is just a protected resource,Webthe container sends authentication to the browserhttpresponse message, the browser receives a message pop-up window to allow users to enter the account number and password, and then again send the account information containing thehttpRequest messages,WebThe container authenticates the account information and, through authentication, returns the corresponding resource, otherwise recertification.

Basic Access authentication scheme is the authentication method presented in HTTP1.0 , which is a Challenge/response-based authentication model for specific Realm user name and password authentication is required before access, where the password is transmitted in clear text. the Basic Mode authentication process is as follows:

The ① Browser sends an HTTP message requesting a protected resource.

The Web container on the ② server sets the response code of the HTTP response message to 401 , and the response header joins Www-authenticate:basic realm= "Mytomcat".

③ Browser Popup dialog lets the user enter a user name and password and encode it with Base64, which is actually a username + Colon + password Base64 Code, Base64 (username:password), this time the browser will be added to the header of the HTTP message Authorization:basic bxl0b21jyxq= .

④ Server Web container to get the HTTP message Header related authentication information, matching this user name and password is correct, whether there is a corresponding resource permissions, if the authentication is successful return the relevant resources, otherwise execute ②, Re-authenticate.

⑤ each visit with a certified head.

The realm="Mytomcat" is included in the authentication message returned by the server, and therealm value is used to define the protected area, where the server can pass the realm Separate the different resources into different domains, the domain name is realm 's value, each domain may have its own permission authentication scheme.

There are two obvious drawbacks to the Basic authentication mode: ① stateless causes each communication to bring the authentication information, even the resources that have been authenticated, ② transmission security is insufficient, the authentication information is Base64 Encoded, the basic is the plaintext transmission, It is easy to intercept and steal authentication information from the message.

Digest mode

Another authentication mode for the HTTP protocol specification is the Digest mode, which was proposed at HTTP1.1 , primarily to address Basic mode security issues, which are used to replace the original Basic authentication Mode, Digest Certification also uses Challenge/response authentication mode, the basic certification process is similar, the whole process is as follows:

The ① Browser sends an HTTP message requesting a protected resource.

The Web container on the ② server sets the response code of the HTTP response message to 401and the response header is more complex than the Basic mode ,www-authenticate:digest realm="Mytomcat", qop= "auth", nonce= "xxxxxxxxxxx", opaque= "xxxxxxxx" . Among them , the auth of Qop is the identification method;thenonce is a random string; Opaque The value specified by the server, the client needs the original value to be returned.

③ Browser Popup dialog allows the user to enter a user name and password, the browser to the user name, password,noncevalues,HTTPrequest method, requested resourceURIand so on after the combinationMD5arithmetic, and send the computed summary information to the server. The request header is similar to the followingauthorization:digest username= "xXXXx ", realm="Mytomcat", qop=" auth ", nonce=" xXXXx ", uri="xxxx", cnonce=" xxxxxx ", nc=00000001,response=" xxxxxxxxx ", opaque=" xxxxxxxxX ". where username is the user name;cnonce is a random string generated by the client;NC is the number of times the authentication is run ; Response is the summary of the final calculation.

④ server-side Web container gets the HTTP header-related authentication information from which to obtain the username, according to username get the corresponding password, same for user name, password,nonce value,HTTP Request method, requested resource URI and other combinations to MD5 operations, calculation results and Response Compare, if the match is successful and return the relevant resources, otherwise execute ②, re-certification.

⑤ each visit with a certified head.

In fact, through the hashing algorithm to the identity of the two sides of the authentication is very common, it is the advantage of not having to transfer the information with the password, simply add the password information to a given random value to calculate the hash value, and finally the hash value to each other, the other side can authenticate your identity. Digest The same is true of thought, with a nonce random number string, the two sides about what information can be hashed to complete the authentication of both identities. the Digest mode avoids plaintext transmission of passwords over the network, improving security, but it still has drawbacks, such as authentication messages that are intercepted by attackers that attackers can access resources.

Form mode

The two modes described above are part of the HTTP Protocol specification, and because of its specifications, many things cannot be customized, such as login windows, error display pages. Therefore, another mode is required to provide more flexible authentication, that is , the form-based authentication mode, the various language systems of the Web container can achieve their own Form mode, here are only Java System of Form Authentication Mode:

the authentication process for Form mode is as follows:

The ① Browser sends an HTTP message requesting a protected resource.

The Web container on the ② server determines that this URI is a protected resource and redirects the request to a custom landing page, such as the login.html page. You can customize the style of the landing page, but the Convention to follow is that the action of the form must end with J_security_check, i.e. <form action= ' xxxxxx/j_security_ Check ' method= ' POST ' >. The name of the user name and password input box element must be ' j_username ' and ' J_password '.

The ③ browser shows a custom landing page that lets the user enter a user name and password, and then submits the form.

The ④ server Web container gets the user name and password of the form, matches whether the user name and password are correct, has the appropriate resources, and returns the relevant resources if the authentication is successful, or else executes ② and re-authenticates.

⑤ subsequent visits during the same session are no longer authenticated, as the results of the authentication are stored in the session on the server .

The form mode jumps out of the HTTP specification to provide a more flexible authentication mode, since each language can define its own Form pattern, so it does not have a common standard, And it also has the password plaintext transmission security issue.

Spnego Mode

The Spnego mode is a Microsoft-proposed authentication mode that uses the Gss-api interface, which extends the Kerberos Protocol in understanding Spnego before the protocol must understand the Kerberos protocol, theKerberos protocol mainly resolves the identity authentication and communication key negotiation problem, and its approximate workflow is as follows:

The ① client requests the TGS ticket according to its user name to the identity authentication service as the Key Distribution center KDC .

② as generates a TGS ticket, queries the corresponding user's password, and then encrypts the TGS ticket with the user's password , responding to the client.

The ③ client decrypts the TGS ticket with the user's password and, if the password is correct, obtains the TGS ticket and then goes to the ticket-granting service with the TGS ticket TGS Request a service ticket.

④TGS responds the service ticket to the client.

The ⑤ client uses a service ticket to access a service, and the service verifies that the service ticket is legitimate.

⑥ authentication is passed and communication is started.

After understanding the Kerberos protocol, let 's look at how the Spnego certification process is. Since the Spnego is extended from the Kerberos Protocol, the core process of authentication is the same only between the browser and the Web Server http embed the authentication process in the communication process. such as:

The ① client browser sends an HTTP request to the Web server .

The ② server returns the 401 Status code, with the response header plus www-authenticate:negotiate.

The ③ user enters the user name through the browser and requests the TGS ticket to AS.

④ as generates a TGS ticket, then queries the user's password and encrypts the TGS ticket with this password to return to the browser.

The ⑤ browser decrypts the TGS ticket with the user's password and initiates a request to the TGS service.

The ⑥TGS Service generates a service ticket response to the browser.

The ⑦ browser encapsulates the service ticket into SPNEGO token and sends it to the Web server.

The ⑧ server decrypts the user name and service ticket and sends the ticket to the TGS service for verification.

⑨ to start the communication by verifying it.

You can see that the Spnego mode provides more robust security authentication, which makes the authentication module stand-alone and, although complex, provides authentication for all applications, such as the ability to easily implement single sign-on between multiple systems.

SSL mode

SSL mode is an authentication mode based on SSL Communication, and its general flow is this: SSL is established between client and server through SSL protocol . Channel, this process is more complex, involving the client server-side certificate mutual authentication, negotiation of communication keys and other processes, details can go to SSL Chapter Reading. Completion of the entire SSL Channel is the core of the authentication process, such as,

① first obtains the client certificate file, which is sent to the server during the SSL protocol, so it can be obtained directly from memory, and then parse the certificate file to get the certificate identity.

② This certificate identifies where the user information is stored to find out the corresponding client certificate user information.

③ checks if this user has permissions on the resource and returns the requested resource if the validation is passed.

SSL mode also provides high-security authentication, which only individual trust to the issued client certificate, can be used to communicate between the server and the service, and can be used to communicate between the browser and the Web servers, you must use HTTPS     protocol, because it must take the SSL Protocol channel to complete the authentication process.

This article introduces five kinds of common security authentication mechanism, they each have their own advantages and disadvantages, in the actual use according to the specific scene to choose different authentication mechanism.

How much does the Web security authentication mechanism know?

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.