Announcement Announcement Module
Collapse
No announcement yet.
Is it safe to pass Authentication object during remote call? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Is it safe to pass Authentication object during remote call?

    Hi,
    I'm very new to Acegi - mainly just went through the documentation.
    From what I understand, the Authentication object contains all user information necessary to process an authentication and authorisation request. Even though that seems a perfect solution in a closed and controlled environment, I wonder how safe this approach is when calling remote servers.
    Additionally, isn't it easy for a potential hacker to create a fake Authentication object and use it to perform a remote call to an unsuspected server?
    Forgive me if I am missing the point here; it may be because I haven't really understood the way remote calls are handled in acegi.
    Thanks in advance for any clarifications.
    Kostas

  • #2
    Hi,

    What do you see as being different between Acegi and any other remote authentication mechanism? The user's credentials (username/password, token, certificate etc.) are validated on each request so unless an attacker has access to these then they can't create a fake authentication object.

    Luke.

    Comment


    • #3
      Hi,
      My concern is in the case of Credentials = plain text password; from the acegi documentation it seems that plain text passwords are not used for CAS, f.i. But for the other authentication mechanisms, is there any reason why the Credentials supplied should remain in the Authentication object after the authentication process has finished?
      I understand that in case of multiple Authentication Providers you may need to pass it from one to the other, but possibly at the end when the providers have all been consulted, clear text passwords (only???) may be removed from the object.

      The danger I see is someone eavesdropping the remote call and looking at the Authentication object. Then, he has the complete set of credentials required to login in any participating server.

      Speaking about other mechanisms, I don't think even JAAS stores the password in the respective authentication object.

      Kostas

      Comment


      • #4
        If you are passing a plain text password then you need to transport level protection and the remote client has to establish the authenticity of the server. So you need something like SSL. In other cases, a client may use some kind of challenge/response protocol which doesn't involve transferring the password to the server. IIRC authentication protocols like SRP also establish a shared key which can be used for subsequent communication.

        Whatever the authentication mechanism, the client must present something which establishes its identity on each call. In a simple case, this will be the password; in more sophisticated cases it will be some kind of authentication token or session key. Either way they are vulnerable to eavesdropping and the transport has to be protected to prevent this.

        Comment


        • #5
          CAS supports a proxy ticket model that you might find useful, if you need an immediate solution. Alternatively, Digest authentication offers a mechanism specifically designed to be reasonably immune from plaintext password risks - although SSL is the recommended solution.

          Comment

          Working...
          X