Introduction
I’ve been very busy these last two years updating a proprietary web application (written in Java) to integrate it inside the Microsoft security systems (amongst other things) . Therefore I have had to dive into the different security mecanisms that can protect the http protocol and which are often encountered by the internet users. This article is certainly not exhaustive and is divided into few parts
Authentication and autorization
Before diving in the technical details, it’s important to make a quick reminder on the two fundamentals principles of the security:
Authentication and autorization
The authentication : The authentication is the method used to certify that an actor is really the one he claims to be.
The autorization : The autorization is the access control to resources granted on basis of the information gaiined from the authentication.
Authentication families
According to me, one can primarily organize the different HTTP authentication mecanisms following these criterias:
Scalar or Vectorial type & ISO level
Scalar and Vectorial authentications
– Scalar authentications are the ones which return one attribute. (For example : the BASIC authentication with a username and its password whose goal is to validate and transmit the username )
– Vectorial authentications are the ones which return more than one attribute (For example : the CLAIM BASED authentication mechanism whose goal is to validate and transmit user’s properties (for ex. email, niss,phone number,locality))
ISO level of authentication
The OSI model, well described in Wikipedia, describing/defining the network communication layering model, may also structure the http authentication mechanisms.
To be continued…
In the next posts, we’ll look into details at the following authentication mechanisms:
Basic authentication
Form authentication
Digest authentication
Certificate authentication
NTLM authentication
Kerberos authentication
Claim-based authentication