RE: Authentication/Access-control libraries

["Sasha Romanosky" <sasha_romanosky () yahoo com>]

-n, 

I'm with Simon, if you have the budget for commercial software,
Netegrity, Oblix and Tivoli are definitely vendors you should look to.
They will provide full identity management solutions for your
enterprise, should you require it. 

I am not aware of specific opensource libraries, per se, that offer
turn-key solutions for authentication and authorization. Mostly what I
have seen are people adopting best practices in terms of design and
mechanisms. 

Authentication:
First, I would claim that authentication is much easier to solve than
authorization. 

If you require simple authN and you're using a J2EE application server,
either opensource (Tomcat) or commercial (weblogic, websphere), take a
look at their Realms: JNDIRealm, JDBCRealm or JAASRealm. These are very
quick and easy to configure and use. Be aware, though, when you're using
these, of how they are implemented:
 - How does it initiate communication with the service? Re LDAP, does it
bind anonymously or perform proper user binds?
 - How does it communicate with the user store? Can it talk SSL/TLS (or
even SASL). Is a vpn or stunnel necessary?
 - Does it require passwords to be stored cleartext, or can it support
encrypted or hashed passwords? While the Realms are easy to use, they
can be less flexible in terms of the above issues. 

I have had mixed results with JAAS. On the one hand it has so much
potential. Authentication based on stackable, pluggable authentication
modules (PAM) - what could be better? However, in practice, I found it
to be clunky and disappointing. Using JAAS to talk to an LDAP directory
service failed in the three issues I mentioned above. You may have
better results if you're using NTML or Kerberos. Coding to JNDI with
SSL/TLS is a much better approach, I feel. You have more control over
flow and error handling.

Personally, I don't think you can ever go wrong building an
infrastructure where users authenticate against an LDAP directory
service. It's ubiquitous, convenient, secure (if done properly),
scalable, and can perform very well. The major issues, however, are
interoperability amongst disparate applications and how they perform
authentication against it (regarding the issues I mentioned above). Your
security policies and business rules could provide guidance here, in
terms of what is acceptable and what is possible to do).

I created something once upon a time to help me understand web based
authentication options. You might find it useful:
http://www.romanosky.net/papers/auth_options.gif


Authorization:
This is definitely a much more difficult problem to solve well. 

Unless you have the funds to purchase an enterprise IM product, I think
you're stuck writing your own. At least this way, you can write what you
need. 

The authorization of JAAS seemed to provide nothing more than static
groups and wasn't all that useful. 

I don't know of any opensource libraries to allow any form of decent
RBAC aside from the NIST code. I can't talk to their latest release, but
as of a couple of years ago, there was an implementation in perl that
was not quite complete. However, NIST is definitely the place to look
for proper RBAC designs.

Be careful when you hear vendors who claim they support RBAC. There is
assigning users to roles and granting or denying those roles access to
resources, and then there is full RBAC which fully abstractes users from
privileges, implements inheritance, and static, dynamic, and operational
separation of duties. This is a huge difference and it is worth
understanding - if only to protect yourself from vendor speak.

If you do roll your own, you'll encounter the issue of where to store
your privileges. And I'll bet you'll hear three voices: in the
application, in the directory or in the database. I'm not sure it really
matters, honestly. Though storing privileges in the application would
not be my first choice. I wish I could offer advice, but I can't at this
time. Perhaps some one else on the list can provide guidance (beyond the
standard relational database vs. optimized directory talk).

<disclaimer> 
I represent no vendor. Just an enthusiast who enjoys exploring this
field. Ideas and opinions are mine. Your mileage may vary. Batteries not
included. Wash colors separately. 

Cheers,
Sasha


> -----Original Message-----
> From: cunningham.simon () btopenworld com 
> [mailto:cunningham.simon () btopenworld com]
> Sent: Wednesday, September 03, 2003 12:42 AM
> To: n30_lists () hotmail com
> Cc: security-basics () securityfocus com;
> secprog () securityfocus com; webappsec () securityfocus com
> Subject: Re: Authentication/Access-control libraries
>
>
> JAAS has been suggested, this offers useful functionality in the Java 
> space but is unlikely to solve all your problems in the web tier, 
> particularly as you mention ASP.
>
> On the commercial front you should be looking at Netegrity SiteMinder,

> IBM Tivoli Access Manager and Oblix NetPoint.
> There are others but these are the market leaders (according 
> to Gartner).  All offer agents of some form that perform 
> authentication and authorisation before access is granted to 
> a URL thus saving you from having to put authentication and 
> authorisation code in every page.  They also offer mechanisms 
> to do more granular authorisation inside your application 
> should you want to.
>
> There's much more to these products (flexible authentication schemes, 
> policy based authorisation, SSO support, complementary identity 
> management products, etc., etc.) but I'll spare you the sales pitch.
>
> Hope that helps.
>
> Simon
>
> >  from:    n30 <n30_lists () hotmail com>
> >  date:    Tue, 02 Sep 2003 17:05:31
> >  to:      security-basics () securityfocus com, 
> secprog () securityfocus com, webappsec () securityfocus com
> >  subject: Re: Authentication/Access-control libraries
> >
> > Gurus,
> >
> > Say I am a programmer designing an ecommerce site & wanting
> to write
> > secure code. I have heard there are commercial & opensource secure 
> > libraries available out there that i can reuse for performing 
> > authentication and access control.
> >
> > Any links/pointers to them??
> >
> > I am specifically looking for asp & java. But any language
> should be
> > fine. I will get an insight into things.
> >
> > Thanks in advance
> > -n