• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Web application authentication and authorization

 
Ranch Hand
Posts: 629
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

We want certain department in the company alone to access the application we are building. We are not providing any login functionality and one thing we thought about was by recognizing the IP address. Could you guys advice if this is the right approach or if there are any other approaches?

Thanks
 
Bartender
Posts: 1166
17
Netbeans IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
IP spoofing is far too easy for authentication based on IP address. You should probably use SSL or HTTPS using both client and server authentication then all the hard work is done for you.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Arjun Reddy wrote:We are not providing any login functionality


Why not? That's the cornerstone of the overwhelming majority of all authentication or authorization solutions in existence.

The problem with IP-based solutions -apart from what Richard mentioned- is that they tie you to that specific IP, which will become a hassle.
 
Arjun Reddy
Ranch Hand
Posts: 629
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you.. apparently.. they have decided that they do not want to put the user through the hassle of login (Since its a small application and user will be able to only view the data but not change any of it) but still want to implement security. IP based is the only thing I can think of. Do you guys have any other suggestions?
 
Richard Tookey
Bartender
Posts: 1166
17
Netbeans IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So what made you reject my TLS/SSL or HTTPS solution?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Another problem with using IPs that it's difficult to ensure that only people from a certain department will get exactly those IP addresses that the application allows in (assuming that DHCP is used; static IP addresses would avoid this, but aren't generally used for desktop computers).

If implementing login functionality is deemed too much work, then I'd guess that client-side SSL would also be too much work.
 
Richard Tookey
Bartender
Posts: 1166
17
Netbeans IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:
If implementing login functionality is deemed too much work, then I'd guess that client-side SSL would also be too much work.



If one uses just the IP address as an identification then one needs to register that IP address so there has to be some form of registration. For one client I used a WebStart application with a registration section which generated a client RSA key pair and sent a CSR to the system admin who checked the credentials of the registrant and, if valid, created a signed certificate which was sent (email) back to the client. The server stored the certificate in a MySQL database and the client stored the certificate in a specific location on the hard disk. Sounds complicated but it was not. The biggest difficulty was getting the client to store the signed certificate in the required location; this may not be necessary on a local area network if the system admin can administer a client's computer. I implemented a registration prototype for both ends for this in just one day and the final version together with all the associated JSSE comms API and database DAO in just a week (others wrote the rest of the application taking several months).

If a minimal client registration procedure such as this is too much for the OP then I doubt he has anything worth protecting!






 
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
An IP address is not a person. The ISPs and movie studios keep trying to claim this, and its simply not true. Its not true for their anti-piracy court cases, and its not true for authentication and authorization.

This is a really, really bad idea.

Using TLS and client-side CERTS can work, but its a moderate to big pain to maintain.

You can:

1) decide not to have any security
2) decide to pretend to have security, but really not
3) implement real security.

Sounds like your client is going for #2, or perhaps #1.
 
reply
    Bookmark Topic Watch Topic
  • New Topic