Tải bản đầy đủ - 0 (trang)
Chapter 23. Restricting Access to Your Applications

Chapter 23. Restricting Access to Your Applications

Tải bản đầy đủ - 0trang

AuthenticationOverview

Authorizationandauthenticationarecommonrequirementsfor

manyWebsites.Authenticationestablishestheidentityof

partiesinacommunication.Youcanauthenticateyourselfby

somethingyouknow(apassword,acookie),somethingyou

have(anIDcard,akey),somethingyouare(yourfingerprint,

yourretina),oracombinationoftheseelements.Inthecontext

oftheWeb,authenticationisusuallyrestrictedtotheuseof

passwordsandcertificates.

Authorizationdealswithprotectingaccesstoresources.Youcan

authorizebasedonseveralfactors,suchastheIPaddressthe

useriscomingfrom,theuser'sbrowser,thecontenttheuseris

tryingtoaccess,orwhotheuseris(whichispreviously

determinedviaauthentication).

Apacheincludesseveralmodulesthatprovideauthentication

andaccesscontrolandthatcanbeusedtoprotectboth

dynamicandstaticcontent.Youcaneitheruseoneofthese

modulesorimplementyourownaccesscontrolatthe

applicationlevelandprovidecustomizedloginscreens,single

sign-on,andotheradvancedfunctionality.



ClientAuthentication

Usersareauthenticatedfortrackingorauthorizationpurposes.

TheHTTPspecificationprovidestwoauthentication

mechanisms:basicanddigest.Inbothcases,theprocessisthe

following:

1. AclienttriestoaccessrestrictedcontentintheWeb

server.



Apachecheckswhethertheclientisprovidingausername

andpassword.Ifnot,ApachereturnsanHTTP401statuscode,

indicatinguserauthenticationisrequired.

Theclientreadstheresponseandpromptstheuserforthe

requiredusernameandpassword(usuallywithapop-up

window).

TheclientretriesaccessingtheWebpage,thistime

transmittingtheusernameandpasswordaspartoftheHTTP

request.Theclientrememberstheusernameandpasswordand

transmitstheminlaterrequeststothesamesite,sotheuser

doesnotneedtoretypethemforeveryrequest.

Apachechecksthevalidityofthecredentialsandgrantsor

deniesaccessbasedontheuseridentityandotheraccessrules.

Inthebasicauthenticationscheme,theusernameand

passwordaretransmittedincleartext,aspartoftheHTTP

requestheaders.Thisposesasecurityriskbecauseanattacker

couldeasilypeekattheconversationbetweenserverand

browser,learntheusernameandpassword,andreusethem

freelyafterward.

Thedigestauthenticationprovidesincreasedsecuritybecauseit

transmitsadigestinsteadofthecleartextpassword.Thedigest

isbasedonacombinationofseveralparameters,includingthe

username,password,andrequestmethod.Theservercan

calculatethedigestonitsownandcheckthattheclientknows

thepassword,evenwhenthepassworditselfisnottransmitted

overthenetwork.

Adigestalgorithmisamathematicaloperationthattakesatext

andreturnsanothertext,adigest,whichuniquelyidentifiesthe

originalone.Agooddigestalgorithmshouldmakesurethat,at

leastforpracticalpurposes,differentinputtextsproducedifferent

digestsandthattheoriginalinputtextcannotbederivedfromthe



digest.MD5isthenameofacommonlyuseddigestalgorithm.



Unfortunately,althoughthespecificationhasbeenavailablefor

quitesometime,onlyveryrecentbrowserssupportdigest

authentication.Thismeansthatforpracticalpurposes,digest

authenticationisrestrictedtoscenariosinwhichyouhave

controloverthebrowsersoftwareofyourclients,suchasina

companyintranet.

Inanycase,forbothdigestandbasicauthentication,the

requestedinformationitselfistransmittedunprotectedoverthe

network.AbetterchoicetosecureaccesstoyourWebsite

involvesusingtheHTTPoverSSLprotocol,asdescribedin

Chapter27,"SettingUpaSecureWebServer."



UserManagementMethods

Whentheauthenticationmodulereceivestheusernameand

passwordfromtheclient,itneedstoverifythattheyarevalid

againstanexistingrepositoryofusers.Theusernamesand

passwordscanbestoredinavarietyofbackends.Apache

bundlessupportforfile-anddatabase-basedauthentication

mechanisms.Third-partymodulesprovidesupportforadditional

mechanismssuchasLightweightDirectoryAccessProtocol

(LDAP)andNetworkInformationServices(NIS).



ApacheAuthenticationModuleFunctionality

Apacheprovidesthebasicframeworkanddirectivestoperform

authenticationandaccesscontrol.Theauthenticationmodules

providesupportforvalidatingpasswordsagainstaspecificback

end.Userscanoptionallybeorganizedingroups,easing

managementofaccesscontrolrules.

Apacheprovidesthreebuilt-indirectivesrelatedto

authenticationthatwillbeusedwithanyoftheauthentication

modules:AuthName,AuthType,andRequire.

AuthNameacceptsastringargument,thenameforthe

authenticationrealm.ArealmisalogicalareaoftheWeb

serverthatyouareaskingthepasswordfor.Itwillbedisplayed

inthebrowserpop-upwindow.

AuthTypespecifiesthetypeofbrowserauthentication:basicor

digest.

Requireenablesyoutospecifyalistofusersorgroupsthatwill

beallowedaccess.ThesyntaxisRequireuserfollowedbyone

ormoreusernames,orRequiregroupfollowedbyoneormore

groupnames.Forexample:



Requireuserjoebob

or



Requiregroupemployeecontractor

Ifyouwanttograntaccesstoanyonewhoprovidesavalid

usernameandpassword,youcandosowith



Requirevalid-user

Withtheprecedingdirectives,youcancontrolwhohasaccess

tospecificvirtualhosts,directories,files,andsoon.Although

authenticationandauthorizationareseparateconcepts,in

practicetheyaretiedtogetherinApache.Accessisgranted

basedonspecificuseridentityorgroupmembership.Some

third-partymodules,suchascertainLDAP-basedmodules,

allowforclearerseparationbetweenauthenticationand

authorization.

TheauthenticationmodulesincludedwithApacheprovide

Back-endstorageProvidetextordatabasefilescontaining

theusernameandgroupinformation

UsermanagementSupplytoolsforcreatingandmanaging

usersandgroupsintheback-endstorage

AuthoritativeinformationSpecifywhethertheresultsof

themoduleareauthoritative



Sometimesuserswillnotbeallowedaccessbecausetheir

informationisnotfoundintheuserdatabaseprovidedbythe

module,orbecausenoauthenticationrulesmatchedtheir

information.Inthatcase,oneoftwosituationswilloccur:

Ifthemodulespecifiesitsresultsasauthoritative,auserwill

bedeniedaccessandApachewillreturnanerror.

Ifthemodulespecifiesitsresultsasnotauthoritative,other

modulescanhaveachanceofauthenticatingtheuser.

Thisenablesyoutohaveamainauthorizationmodulethatknows

aboutmostusers,andtobeabletohaveadditionalmodulesthat

canauthenticatetherestoftheusers.



File-BasedAuthentication

Themod_authApachemoduleprovidesbasicauthenticationvia

textfilescontainingusernamesandpasswords,similartohow

traditionalUnixauthenticationworkswiththe/etc/passwdand

/etc/groupsfiles.



Back-EndStorage

Youneedtospecifythefilecontainingthelistofusernamesand

passwordsand,optionally,thefilecontainingthelistofgroups.

TheusersfileisaUnix-stylepasswordfile,containingnamesof

usersandencryptedpasswords.Theentrieslooklikethe

following,onUnix,usingthecryptalgorithm:



admin:iFrlxqg0Q6RQ6

andonWindows,usingtheMD5algorithm:



admin:$apr1$Ug3.....$jVTedbQWBKTfXsn5jK6UX/

Thegroupsfilecontainsalistofgroupsandtheuserswho

belongtoeachoneofthem,separatedbyspaces,suchasin

thefollowingentry:



web:adminjoeDaniel

TheAuthUserFileandtheAuthGroupFiledirectivestakea

pathargument,pointingtotheusersfileandthegroupsfile.

Thegroupsfileisoptional.



UserManagement

ApacheincludesthehtpasswdutilityonUnixandhtpasswd.exe

onWindows;theyaredesignedtohelpyoumanageuser

passwordfiles.Bothversionsarefunctionallyidentical,butthe



Windowsversionusesadifferentmethodtoencryptthe

password.Theencryptionistransparenttotheuserand

administrator.Thefirsttimeyouaddauser,youneedtotype



/usr/local/apache2/bin/htpasswd-cfileuserid

wherefileisthepasswordfilethatwillcontainthelistof

usernamesandpasswords,anduseridistheusernameyou

wanttoadd.Youwillbepromptedforapassword,andthefile

willbecreated.Forexample,onLinux/Unix,theline



/usr/local/apache2/bin/htpasswd-c/usr/local/apache2/conf/htus

willcreatethepasswordfile

/usr/local/apache2/conf/htusersandaddtheadminuser.

SimilarfunctionalityexistsonWindows,wherethecommandlineoperationmightlooksomethinglikethefollowing:



htpasswd-c"C:\ProgramFiles\ApacheGroup\Apache2\conf\htusers



The-ccommand-lineoptiontellshtpasswdthatitshouldcreate

thefile.Whenyouwanttoadduserstoanexistingpassword

file,donotusethe-coption;otherwise,thefilewillbe

overwritten.

Itisimportantthatyoustorethepasswordfileoutsidethe

documentrootandthusmakeitinaccessibleviaaWebbrowser.

Otherwise,anattackercoulddownloadthefileandgetalistof

yourusernamesandpasswords.Althoughthepasswordsare

encrypted,whenyouhavethefile,itispossibletoperforma

brute-forceattacktotrytoguessthem.



Authoritative

TheAuthAuthoritativedirectivetakesavalueofonoroff.By

default,itison,meaningthatthemoduleauthenticationresults

areauthoritative.Thatis,iftheuserisnotfoundordoesnot

matchanyrules,accesswillbedenied.



Usingmod_auth

Listing23.1showsasampleconfiguration,restrictingaccessto

theprivatedirectoryinthedocumentroottoauthenticated

userspresentinthehtuserspasswordfile.Notethatthe

optionalAuthGroupFiledirectiveisnotpresent.



Listing23.1File-BasedAuthenticationExample



1:

2:AuthTypeBasic



3:AuthName"PrivateArea"

4:AuthUserFile/usr/local/apache2/conf/htusers

5:AuthAuthoritativeon

6:Requirevalid-user

7:




DatabaseFile-BasedAccessControl

Storingusernamesandpasswordsinplaintextfilesis

convenient,buttheydonotscalewell.Apacheneedstoopen

andreadthefilessequentiallytolookforaparticularuser.

Whenthenumberofusersgrows,thisoperationbecomesvery

time-consuming.Themod_auth_dbmmoduleenablesyouto

replacethetext-basedfileswithindexeddatabasefiles,which

canhandleamuchgreaternumberofuserswithout

performancedegradation.mod_auth_dbmisincludedwith

Apachebutisnotenabledbydefault.Enablingthismodule

occurswhenconfiguringApachetobebuilt,usingthe-enable-module=dbmoption.



Back-EndStorage

Themod_auth_dbmmoduleprovidestwodirectives,

AuthDBMUserFileandAuthDBMGroupFile,thatpointtothe

databasefilescontainingtheusernamesandgroups.Unlike

plaintextfiles,bothdirectivescanpointtothesamefile,which

combinesbothusersandgroups.



UserManagement

ApacheprovidesaPerlscript(dbmmanageonUnixand

dbmmanage.plonWindows)thatallowsyoutocreateand

manageusersandgroupsstoredinadatabasefile.

UnderUnix,youmightneedtoeditthefirstlineofthescriptto

pointtothelocationofthePerlinterpreterinyoursystem.On

Windows,youneedtoinstalltheadditionalMD5password

package.IfyouareusingActiveStatePerl,startthePerl

packagemanagerandtype



installCrypt-PasswdMD5

ToaddausertoadatabaseonUnix,type



dbmmanagedbfileadduseruserid

OnWindows,type



perldbmmanage.pldbfileadduseruserid



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 23. Restricting Access to Your Applications

Tải bản đầy đủ ngay(0 tr)

×