Changes between Version 1 and Version 2 of HttpAuthProposals/MutualAuth/LayeringDesigns


Ignore:
Timestamp:
Jun 12, 2012, 8:57:11 PM (7 years ago)
Author:
y.oiwa@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • HttpAuthProposals/MutualAuth/LayeringDesigns

    v1 v2  
    141141People may wonder how it can be realized in the real applications.  Some sample tactics for such deployment is included in the draft.
    142142
    143    Note: As obviously, it could be designed alternatively as directives (parameters) on the WWW-Authenticate headers.  Such design is simpler when we only care about the protocol layer.  However, if we did such a way, we MUST have a tight communication channel between server-side authenticator and Web applications.  Server-side authenticator can be either in the web-server layer or in the application framework layer, but in either case it is difficult to deploy.  We cared this issue, avoided such shortcomings, and so we introduced it as an additional header.  It is also designed so that applications do not necessarily understand detailed authentication status.  This makes it possible to ''statically'' configure these headers when application requirement is simple, eliminating a need for CGI applications only for that header.
     143   Note: As obviously, it could be designed alternatively as directives (parameters) on the WWW-Authenticate headers.  Such design is simpler when we only care about the protocol layer.  However, if we did such a way, we MUST have a tight communication channel between server-side authenticator and Web applications.  Server-side authenticator can be either in the web-server layer or in the application framework layer, but in either case it is difficult to deploy.  We cared this issue, avoided such shortcomings, and so we introduced it as an additional header named "Authentication-Control:".  It is also designed so that applications do not necessarily understand detailed authentication status.  This makes it possible to ''statically'' configure these headers when application requirement is simple, eliminating a need for CGI applications only for that header (e.g. Apache has a simple "mod_headers" module for just setting HTTP headers from .htaccess files).
    144144
    145145== 3. Multiple stage authentication in HTTP ==
     
    149149Important thing here is: with regards to the real communications, HTTP layer and payload-layer protocols are isomorphic; if we have an payload-layer protocol which are common to several resources (URIs), we can have a embedding of that protocol into an HTTP layer;  if we have an HTTP-layer protocol, we may have an trivial embedding of that into a payload-layer API (although that may be not quite beautiful).  There is no fundamental difference here.
    150150
    151 We already proved that multiple-stage authentication ''is'' possible within HTTP layer by our reference implementations.  There are two possible implementation layers as mentioned before, and we took the harder approach, i.e. using the server-layer software technologies for implementations, and it succeeded.  If there is still any doubt, you can just handle authentication in the application software or application framework layers, so that you can use any technologies which enables multiple-stage payload-layer protocols.
     151We already proved that multiple-stage authentication ''is'' possible within HTTP layer by our reference implementations.  There are two possible implementation layers (server layer v.s. application software layer) as mentioned before, and we took the harder approach, i.e. using the server-layer software technologies for implementations, and it succeeded.  If there is still any doubt, you can just handle authentication in the application software or application framework layers, so that you can use any technologies which enables multiple-stage payload-layer protocols.
    152152
    153153During our stage of design Mutual authentication, one concern regarding the multiple-stage authentication was possible conflicts with load-balancing proxies.  As authentication statuses are shared between clients and server-side authenticator, if there are hidden multiple instances of server-side software, any server-side endpoint for single client should share the authentication status information.  However, you should also notice that, even with payload-layer protocols, the same problem arises.  Common approach is to use back-end information-sharing software (e.g. RDB), and it can be applied also to the http-layer protocol implemented in the application software layer.