[albatross-users] tamper-resistant authentication code
Eric S. Johansson
esj at harvee.org
Sat Sep 13 00:38:34 EST 2003
this is a very rough cut on authentication code for Web services. I followed
the model set down by some folks at MIT (see URL and comments)after taking the
time to understand the security model so I'm confident that it is a a correct
implementation and will withstand all of the attacks discussed in the paper. it
will also be vulnerable to the problems discussed in the paper too. ;-)
I kept this object as simple as possible to make it easier to validate. There
are four functions, initialization, new, validate, and check authentication.
object initialization just stores the secret key and the duration of validity
for any authentication token. I chose to store these components at this time
because they are common to all of the interfaces.
The new creates a new token and has the option of adding some authentication
specific information to the token and changing the duration. Just occurred to
me that I did not put in any method for retrieving the data. Next revision.
validate takes a returned authentication token and return the Boolean as to
whether or not the token is valid. Alternatively, if people prefer, I could
throw an exception on the two different types but I see that is being needlessly
complicated.
The last routine, check authentication, looks within the albatross context for
an authentication variable and depending on its presence and validation, will
either return the Login HTML reference or an application HTML reference.
I'm just starting to think about integration with albatross. Since I don't know
the code base very well, I would ask for advice on how to integrate or whether
or not I should.
For example, if I'm not going to integrate directly into the code base but
maintain this separately I might derive a new object from the base
authentication object to do the albatross specific magic in.
what say you?
---eric
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: login.py
URL: <http://www.object-craft.com.au/pipermail/albatross-users/attachments/20030912/0d9522cf/attachment.ksh>
More information about the Albatross-users
mailing list