aspose file tools*
The moose likes Security and the fly likes Web application authentication and authorization Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Web application authentication and authorization" Watch "Web application authentication and authorization" New topic
Author

Web application authentication and authorization

Arjun Reddy
Ranch Hand

Joined: Nov 10, 2007
Posts: 627
Hi All,

We want certain department in the company alone to access the application we are building. We are not providing any login functionality and one thing we thought about was by recognizing the IP address. Could you guys advice if this is the right approach or if there are any other approaches?

Thanks


Be Humble... Be Nice.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1059
    
  10

IP spoofing is far too easy for authentication based on IP address. You should probably use SSL or HTTPS using both client and server authentication then all the hard work is done for you.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41877
    
  63
Arjun Reddy wrote:We are not providing any login functionality

Why not? That's the cornerstone of the overwhelming majority of all authentication or authorization solutions in existence.

The problem with IP-based solutions -apart from what Richard mentioned- is that they tie you to that specific IP, which will become a hassle.


Ping & DNS - my free Android networking tools app
Arjun Reddy
Ranch Hand

Joined: Nov 10, 2007
Posts: 627
Thank you.. apparently.. they have decided that they do not want to put the user through the hassle of login (Since its a small application and user will be able to only view the data but not change any of it) but still want to implement security. IP based is the only thing I can think of. Do you guys have any other suggestions?
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1059
    
  10

So what made you reject my TLS/SSL or HTTPS solution?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41877
    
  63
Another problem with using IPs that it's difficult to ensure that only people from a certain department will get exactly those IP addresses that the application allows in (assuming that DHCP is used; static IP addresses would avoid this, but aren't generally used for desktop computers).

If implementing login functionality is deemed too much work, then I'd guess that client-side SSL would also be too much work.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1059
    
  10

Ulf Dittmer wrote:
If implementing login functionality is deemed too much work, then I'd guess that client-side SSL would also be too much work.


If one uses just the IP address as an identification then one needs to register that IP address so there has to be some form of registration. For one client I used a WebStart application with a registration section which generated a client RSA key pair and sent a CSR to the system admin who checked the credentials of the registrant and, if valid, created a signed certificate which was sent (email) back to the client. The server stored the certificate in a MySQL database and the client stored the certificate in a specific location on the hard disk. Sounds complicated but it was not. The biggest difficulty was getting the client to store the signed certificate in the required location; this may not be necessary on a local area network if the system admin can administer a client's computer. I implemented a registration prototype for both ends for this in just one day and the final version together with all the associated JSSE comms API and database DAO in just a week (others wrote the rest of the application taking several months).

If a minimal client registration procedure such as this is too much for the OP then I doubt he has anything worth protecting!






Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4658
    
    5

An IP address is not a person. The ISPs and movie studios keep trying to claim this, and its simply not true. Its not true for their anti-piracy court cases, and its not true for authentication and authorization.

This is a really, really bad idea.

Using TLS and client-side CERTS can work, but its a moderate to big pain to maintain.

You can:

1) decide not to have any security
2) decide to pretend to have security, but really not
3) implement real security.

Sounds like your client is going for #2, or perhaps #1.
 
jQuery in Action, 2nd edition
 
subject: Web application authentication and authorization