4.11.4 Authenticating users from within applications
This subsection describes the authentication functionality available for applications to ensure security in Web client configurations.
- Organization of this subsection
(1) The purpose of authenticating users from within applications
When considering security threats, authenticating users when they execute applications helps to prevent system users from carrying out operations or acquiring information beyond the scope of the permission granted to them.
Application servers allow the use of the following three different protocols to ensure security via user authentication:
-
HTTPS (Client authentication)
-
HTTP (Basic authentication)
-
HTTP (Form authentication)
Ensure security by using one of these protocols according to your particular purpose.
(2) Comparison between application-based user authentication methods
The table below shows where user authentication is carried out for each communication protocol, as well as the authentication engines used.
|
Protocol used |
Location of authentication |
Authentication engine |
|---|---|---|
|
HTTPS (Client authentication) |
Cosminexus HTTP Server or Microsoft IIS |
SSL |
|
SSL accelerator |
SSL |
|
|
HTTP (Basic authentication) |
Cosminexus HTTP Server |
HWS password file |
|
LDAP repository |
||
|
J2EE server (Web container) |
Password file |
|
|
HTTP (Form authentication) |
J2EE server (Web container) |
Password file |
|
J2EE server (integrated user management) |
Integrated user management password file |
|
|
Database |
||
|
LDAP repository |
Each protocol and authentication engine has certain features. Consider these features to select a suitable authentication method for the purpose of your system.
(a) Features of the protocols
The table below shows the features of the protocols that can be used for authentication on an application server system.
|
Protocol used |
Authentication interface flexibility |
Ease of management from client |
Network safety |
|---|---|---|---|
|
HTTPS (Client authentication) |
Available functions are limited to those provided by a Web browser. |
Client certificates are required. |
Due to encryption, authentication information is safe even if eavesdropping occurs. |
|
HTTP (Basic authentication) |
Available functions are limited to those provided by a Web browser. |
Common user name/password-based authentication is possible. |
Passwords will be leaked in plain text or equivalent format. Therefore, this authentication is usually used along with the HTTPS encryption function (for server authentication only). |
|
HTTP (Form authentication) |
Different functions can be designed for each application. |
Common user name/password-based authentication is possible. |
Passwords will be leaked in plain text or equivalent format. Therefore, this authentication is usually used along with the HTTPS encryption function (for server authentication only). |
(b) Features of the authentication engines
The table below shows the features of the authentication engines.
|
Engine type |
Versatility |
Maintainability |
Effect on system configuration |
Effect on performance |
|---|---|---|---|---|
|
Password file |
The format varies with the function used. |
Each server or host has its own user information. |
No special process is required for authentication. |
Faster because no process or host communication occurs for authentication. |
|
Database |
Depending on the format, an existing user information database can be used. |
User information management can be centralized. |
A database server is required to store user information. |
It takes additional time to access the database for authentication. |
|
LDAP repository |
Depending on the format, an existing user information repository can be used. |
User information management can be centralized, including distributed user information. |
An LDAP-compliant directory server is required to store user information. |
It takes additional time to access the LDAP directory server for authentication. |