01-06-2012, 12:53 PM
Advanced authentication in Java applications using Kerberos protocol
Advanced authentication in Java.pdf (Size: 727.53 KB / Downloads: 63)
Introduction
Information technologies are widely used in our society. Companies store important business
data in various kinds of information systems. To protect information stored in these
systems, only authorized employees should have access to them. Many companies also
use more than one information system, so an employee may need to work with several
applications during the workday. Therefore a requirement of common authentication to
these systems has appeared, so that employees do not have to remember as many passwords
as many applications they are using. In these days, there are many Single Sign–On1 (SSO in
short) solutions out there solving this problem. They allow users to log-in once, when they
come to work, and then work with all the applications they need, without being prompted
for other authentication.
Analysis
This chapter deals with the requirements of Y Soft and how they evolved. Then possible approaches
to authentication and authorization in Java applications will be presented. Namely
Java Authentication and Authorization Service and Generic Security Service Application
Program Interface, that can be used in the solution, will be introduced. Their properties will
be described together with their advantages and limitations. Some sample codes will also
be provided to give a better picture of how they can be used. Finally protocols that might be
useful and could be used in the solution will be described. Especially the Kerberos protocol,
which is the base for this thesis.
Requirements analysis
At first the assignment was focussing on saving of a ticket for the requested service and the
intended use of the saved ticket was not clearly specified. It was required to use the Kerberos
protocol, which is supported in Active Directory in Windows Servers from Microsoft. This
support in AD allows to request a ticket for a logged-in user without prompting the user for
his/her password, because the user has already been authenticated in AD. It was required
to have an application or utility which could be used to save user’s ticket for the requested
service on a flash drive or a smart card. After the ticket would be saved, the second application
should be able to validate the ticket (check whether the ticket is valid).
After a discussion with Y Soft, the intention of using the ticket for authentication to
third party applications has appeared. So instead of an application that validates the ticket,
an application demonstrating how can be the saved ticket used to authorize a request to
a third party application, is required. As an example of a third party application, Internet
Information Services1 (IIS in short) shipped with Windows Servers was selected, because
it is widely used by customers. Also it should be possible to store more than one ticket for
a user on a flash drive or a smart card.
Options of authentication and authorization in Java applications
Of course it would be possible to implement all the protocol communications from scratch.
But it would be too time-consuming and unnecessary, because there is already implementation
of the Kerberos protocol available in the standard edition of Java. It is not even necessary
to work with the protocol itself, there is also an authentication and authorization service
encapsulating protocol specifics, available in Java. The service is called Java Authentication
and Authorization Service (JAAS) and will be described in this section. Also a generic
application program interface providing generic access to security protocols is available in
Java. The interface is referred to as a Generic Security Service Application Program Interface
(GSS–API) and will be also introduced in this section.