Re: Authentication/Access-control libraries

[cunningham.simon () btopenworld com]

JAAS has been suggested, this offers useful functionality in the Java space but is unlikely to solve all your problems 
in the web tier, particularly as you mention ASP.

On the commercial front you should be looking at Netegrity SiteMinder, IBM Tivoli Access Manager and Oblix NetPoint.  
There are others but these are the market leaders (according to Gartner).  All offer agents of some form that perform 
authentication and authorisation before access is granted to a URL thus saving you from having to put authentication 
and authorisation code in every page.  They also offer mechanisms to do more granular authorisation inside your 
application should you want to.

There's much more to these products (flexible authentication schemes, policy based authorisation, SSO support, 
complementary identity management products, etc., etc.) but I'll spare you the sales pitch.

Hope that helps.

Simon

>  from:    n30 <n30_lists () hotmail com>
>  date:    Tue, 02 Sep 2003 17:05:31
>  to:      security-basics () securityfocus com, secprog () securityfocus com, webappsec () securityfocus com
>  subject: Re: Authentication/Access-control libraries
>
> Gurus,
>
> Say I am a programmer designing an ecommerce site & wanting to write secure
> code. I have heard there are commercial & opensource secure libraries
> available out there that i can reuse for performing authentication and
> access control.
>
> Any links/pointers to them??
>
> I am specifically looking for asp & java. But any language should be fine. I
> will get an insight into things.
>
> Thanks in advance
> -n