Authentication and Authorization on the Web (Web Security Topics)
Nigel Chapman, Jenny Chapman
Language: English
Pages: 246
ISBN: 0956737056
Format: PDF / Kindle (mobi) / ePub
A short book in the "Web Security Topics" series for Web developers, by the well-known authors Nigel and Jenny Chapman. Web applications manipulate resources in response to requests from users. It is often necessary to determine whether a requested operation should be allowed for the user who sent the request. This process of authorization - that is, deciding whether an application should be allowed to carry.out the operation which a request from a particular user or program calls for - depends on, but is separate from, the process of authentication. Authentication means determining the identity of the user or program sending the request. This is usually done by maintaining user accounts, protected by passwords, and by requiring users to log in. Written for professional and student Web developers, this book provides a clear and practical description of authentication and authorization for Web sites. Secure methods of storing users' account details are described, with special emphasis on the secure storage of passwords. The authors explain different methods of authentication, and techniques for applying authorization to requests from authenticated users. A simple application, written in JavaScript and built on the Express framework, is developed throughout the book to demonstrate the principles. The source code is provided via the companion site websecuritytopics.info. Topics covered include hashing and salting passwords for secure storage, using CAPTCHAs to prevent the creation of bogus accounts, resetting passwords, session-based authentication and attacks against sessions, HTTP authentication, OpenId, authorization based on user accounts, role-based authorization, and OAuth. Notes on relevant topics in cryptography are also included. Clear key points provide useful summaries at the end of each section, and technical terms are defined in a 16-page glossary.
HTTP Pocket Reference: Hypertext Transfer Protocol
PHP and Algorithmic Thinking for the Complete Beginner: Learn to Think Like a Programmer
Web Development with Django Cookbook
res); 26 }) 27 28 } 29 else { 30 req.flash('error', 31 'There is no account with email address ' + address); 32 res.render('password_resets/new', 33 { title : 'Request Password Reset', 34 u: null}); 35 } 36 }); 37 }, 38 edit: function(req, res){ 39 User.findByPasswordResetToken(req.params.token, 40 function(err, theUser) { 41 if (theUser && !err) 42
situations in which, despite its advantages, HTTP Authentication is not a suitable means of authenticating users, and more elaborate mechanisms are often preferred. Key Points An application using HTTP Authentication sends a challenge and receives a response in the WWW-Authenticate and Authorization headers, respectively. When the server receives a request for a restricted resource, and the request does not have a valid Authorization header, it sends a response with status
whether the operation being requested is permitted, it is necessary to have an efficient means of recording any restrictions that apply to each combination of operation, user, and resource. The authorization operation itself can then be implemented using route middleware. Account-Based Authorization The simplest authorization scheme to implement is one that associates the right to perform operations with individual user accounts. This makes sense if it is possible to identify an owner
fit for applications written in JavaScript, but we prefer to use a traditional relational database in our examples, as it will be more familiar to most readers and incorporates well-established methods of representing data and the relationships within it. Broadly speaking, there are two ways of interacting with a relational database system from within a program written in an object-oriented language. Object-Relational Mapping (ORM) is a way of allowing the tables in the database to be
To ensure that users can only perform operations on resources they own, the middleware array can be used to build a query that only retrieves resource records whose user_id foreign key matches the current user’s id. Only authorized data will be passed to the controller, which therefore does not need to perform any checks of its own. When authorization constraints depend on a many-to-many relationship, a join table containing keys for the resource and user must be maintained. The