A Perfect Presentation to Describe Authentication and Authorization and how it is used in Web Application Security. Definitions and implementation and full example of how it works.
1. AUTHENTICATIO AND
AUTHORIZATION IN
WEB APPLICATIONS
SECURITY
Supervisor: D. Mayada Al Meghari
Abed Elilah Elmahmoum
Course :ITCS6322.20447.31.88-
Web Applications Security
3. INTRODUCTION
It seems that there is no way
to go through a day without
using authentication and
authorization in our real-life
and virtual-life.
4. CONCEPTS
Is the process of identifying
users that request access to
a system, network, or device.
Verify who you are?
Authentication
5. CONCEPTS
Is the process of controlling
user access via assigned
roles & privileges.
What you can do?
Authorization
6. Authentication vs. Authorization
Authentication Authorization
What does it do? Verifies credentials
Grants or denies
permissions
How does it work?
Through passwords,
biometrics,….
Through settings
maintained by
security teams
Is it visible to the
user?
Yes No
It is changeable by
the user?
Partially No
How does data
move?
Through ID tokens
Through access
tokens
7. Applications Exampels
Applications that use authentication and authorization.
Mobile application:
Social media apps (Facebook, Twitter, LinkedIn….).
Google apps (Gmail, Google Play…..).
Ecommerce apps.
Web Applications:
Microsoft office.
Netflix.
Trello.
9. Authentications Methods
Requires two or more
independent ways to identify
a user, for example Captcha
tests, fingerprints.
Multi-factor (MFA)
Most common methods of
authentication using
password to access.
Passwords
Enables login to multiple
applications via a central
identity provider.
Single Sign-on (SSO)
Grants access to a user or
device based on an access
token ID they possess.
Token authentication
Unique biological
characteristics of an
individual like Facial, speaker
recognition and fingerprint,
eye scanners.
Biometric
11. Authorization Methods
Defining which files and memory objects
they can access.
Mandatory Access
Control (MAC)
An entity is authorized if the
authentication system finds that all the
attributes defined in the policy are true.
Attribute-based Access
Control (ABAC)
RBAC builds on predefined roles and
privileges, assigns users to roles, and
configures a system so that only
specific roles can access each object.
Role-Based Access
Control (RBAC)
DAC determines privileges depending
on the specific user and their access
groups.
Discretionary Access
Control (DAC)
12. Implementation and scenario
Monolithic Application Authentication and
Authorization:
In the application, a security module is
generally used to implement user
authentication and authorization.
For example: Software as a service (SaaS)
office tools (such as Microsoft Office 365).
13. Implementation and scenario
Monolithic application user authentication
scenario:
• User enter username and password.
• Security module verify identity of the user.
• Session is created for the user with a unique ID
associated with the session.
• A session stores login user information User name,
Role, and Permission.
• server returns the Session Id to the client.
• The client records the Session Id as a cookie and
sends it to the application in subsequent requests.
• The application can then use the Session Id to
verify the user’s identity, without having to enter
a user name and password for authentication
each time.
14. Implementation and scenario
Monolithic application user authorization
scenario:
• The client accesses the application.
• Session Id is sent to the application along with the
HTTP request.
• The security module generally processes all
received client requests through an authorization
interceptor.
• This interceptor first determines whether the
Session Id exists.
• If the Session Id exists, it knows that the user has
logged in.
• Then, by querying the user rights, it is determined
whether the user can execute the request or not.