Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Authentication and Authorization Infrastructure: the PAPI System.

Published byHenry Malone Modified over 9 years ago

Similar presentations

Presentation on theme: "An Authentication and Authorization Infrastructure: the PAPI System."— Presentation transcript:

1 An Authentication and Authorization Infrastructure: the PAPI System

2 Index An approximation to the solution PAPI Architecture JAVA – JWS Possible Scenarios Future works

3 Approximation: Working with E-Certificates Web browser Authentication data Web Server S1 Web page Authentication Server Temporal E-certificates E-certificate S1 E-certificate S2 E-certificate S3 HTTP request + E-certificate S1 Web Server S2 HTTP request + E-certificate S2 Web page Problems:   Not transparent   Password in browser DB   Choose the right certified   Web servers not adapted for this technology   Allow copy of valid certifies Advantages:   Temporal access to authorized services   Allow mobile users   Authentication adapted to user organizations   Technology implemented in main web servers

4 Approximation: Partial Solutions No transparent -> encrypted cookies Web browser Authentication data Web Server S1 Web page Authentication Server Temporal Encrypt-cookies Encry-cookie S1 Encry-cookie S2 Encry-cookie S3 HTTP request + Encry-cookie S1 Point of Access HTTP request Web page z zWeb servers not adapted -> Points of Access Problems:   Domain problems in cookies   Allow copy of valid cookies Advantages:   Temporal access to authorized services   Allow mobile users   Authentication adapted to user organizations   Control access adapted to web servers of information providers   Transparent for the user

5 Approximation: Partial Solutions Domain problems in cookies -> Cookies served by PAs Web browser Authentication data Authentication Server Encry-cookie S1 Encry-cookie S2 Encry-cookie S3 Point of Access Point of Access Temporal Signed-URLs Signed-URL Encry-cookie

6 Approximation: Partial Solutions Web Browser 1 Encry-cookie S1 Point of Access z zCopy of valid cookies -> Data base of cookies Short time expiration Web Browser 2 Encry-cookie S1 HTTP request + Encry-cookie S1 Web Server S1 HTTP request Web page DB of Enc-cookie Web page + New Enc-cook S1 New Enc-cook S1 HTTP request + Encry-cookie S1 Colision

7 Architecture of PAPI system Web browser Authentication data Authentication Server Encry-cookies Temporal Signed-URLs Web page + New Hcook+Lcook HTTP request + Hcook+Lcook Point of Access Web Server S1 HTTP request Web page DB of Hcook   URL: K_priv SA (user code + server + path + Exp. Time + sign time)   Hcook1: K1_PA (user code + server + path + Exp. Time + Random Block)   Lcook: K2_PA (server + path + creation time)

8 JWS – JAVA compatibility Web browser User Credentials Authentication Server Encry-cookie S1 Encry-cookie S2 Access point Signed URLs Signed URL cookieLoader.jnlp Encry-cookie Access Point Signed URL HTTPClass Encry-cookie

9 Scenarios Web browser Web Server Authentication Server Point of Access Web Server Point of Access Authentication Server Point of Access Point of Access Authentication Server Authentication Server Point of Access Web Server Point of Access

10 Future works Enhance PAPI compatibility with other technologies  A-Select  Shibboleth  Athens Include new type of clients  WIFI access  Kerberos  VPNs Improve the administration tools

Download ppt "An Authentication and Authorization Infrastructure: the PAPI System."

Similar presentations

Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.
Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.

Central Authentication Service (CAS). What is CAS? JA-SIG Central Authentication Service is an enterprise level, open-source, single sign on solution.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Architecture & Integration: CP v3.1. 3.x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)

Architecture & Integration: CP v x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)
EFDA Federation PAPI based federation as a test-bed for a common security infrastructure in EFDA sites R. Castro, J. Vega, A. Portas, D. R. López, S. Balme,

EFDA Federation PAPI based federation as a test-bed for a common security infrastructure in EFDA sites R. Castro, J. Vega, A. Portas, D. R. López, S. Balme,
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
DATABASE APPLICATION DEVELOPMENT SAK 3408 The Web and DBMS.

DATABASE APPLICATION DEVELOPMENT SAK 3408 The Web and DBMS.
Progress Report 11/1/01 Matt Bridges. Overview Data collection and analysis tool for web site traffic Lets website administrators know who is on their.

Progress Report 11/1/01 Matt Bridges. Overview Data collection and analysis tool for web site traffic Lets website administrators know who is on their.
Multiple Tiers in Action

Multiple Tiers in Action
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

Similar presentations

Ads by Google