100 likes | 250 Views
An Authentication and Authorization Infrastructure: the PAPI System. Index. An approximation to the solution PAPI Architecture JAVA – JWS Possible Scenarios Future works. HTTP request. + E-certificate S1. Temporal E-certificates. Authentication data. Web page. HTTP request.
E N D
An Authentication and Authorization Infrastructure: the PAPI System
Index • An approximation to the solution • PAPI Architecture • JAVA – JWS • Possible Scenarios • Future works
HTTP request + E-certificate S1 Temporal E-certificates Authentication data Web page HTTP request + E-certificate S2 E-certificate S1 E-certificate S2 E-certificate S3 Web page Approximation: Working with E-Certificates Authentication Server Advantages: • Temporal access to authorized services • Allow mobile users • Authentication adapted to user organizations • Technology implemented in main web servers Problems: • Not transparent • Password in browser DB • Choose the right certified • Web servers not adapted for this technology • Allow copy of valid certifies Web Server S1 Web browser Web Server S2
Authentication data Temporal Encrypt-cookies HTTP request Encry-cookie S1 Encry-cookie S2 HTTP request Encry-cookie S3 + Encry-cookie S1 Web page Point of Access Web page Approximation: Partial Solutions Advantages: • Temporal access to authorized services • Allow mobile users • Authentication adapted to user organizations • Control access adapted to web servers of information providers • Transparent for the user Problems: • Domain problems in cookies • Allow copy of valid cookies • Web servers not adapted -> Points of Access • No transparent -> encrypted cookies Authentication Server Web Server S1 Web browser
Authentication data Temporal Signed-URLs Signed-URL Encry-cookie S1 Encry-cookie S2 Encry-cookie Encry-cookie S3 Point of Access Point of Access Signed-URL Encry-cookie Approximation: Partial Solutions • Domain problems in cookies -> Cookies served by PAs Authentication Server Web browser
HTTP request + Encry-cookie S1 HTTP request Web page Web page + New Enc-cook S1 Point of Access HTTP request Colision + Encry-cookie S1 Approximation: Partial Solutions • Copy of valid cookies -> Data base of cookies Short time expiration DB of Enc-cookie Web Browser 1 New Enc-cook S1 Encry-cookie S1 Web Server S1 Web Browser 2 Encry-cookie S1
URL: K_priv SA (user code + server + path + Exp. Time + sign time) Authentication data HTTP request Web page Point of Access • Hcook1: K1_PA (user code + server + path + Exp. Time + Random Block) • Lcook: K2_PA (server + path + creation time) Architecture of PAPI system Authentication Server DB of Hcook Temporal Signed-URLs HTTP request + Hcook+Lcook Web browser Web Server S1 Web page + New Hcook+Lcook Encry-cookies
JWS – JAVA compatibility Authentication Server Signed URLs Access point Signed URL User Credentials cookieLoader.jnlp Web browser Signed URL Encry-cookie S1 Encry-cookie S2 Encry-cookie Access Point HTTPClass Encry-cookie
Authentication Server Authentication Server Authentication Server Authentication Server Point of Access Point of Access Point of Access Point of Access Point of Access Point of Access Web Server Web Server Scenarios Web Server Web browser
Future works • Enhance PAPI compatibility with other technologies • A-Select • Shibboleth • Athens • Include new type of clients • WIFI access • Kerberos • VPNs • Improve the administration tools