Wednesday, September 11, 2019

Web security authentication and authorization Research Paper

Web security authentication and authorization - Research Paper Example Authentication Mechanism If a particular resource needs to be protected,using elementary authentication mechanism,Apache server sends a header including â€Å"401 authentications† in repose to the request. As the user enter credentials,consisting of username and password,for the resource to be returned as requested. Moreover, as soon as 401 response headers receive by the web browser, it asks the user to specify username and password in order to authenticate the user. Similarly, the server will check the credentials in the safe list, if they are available; the resource is made available to the user. Securing the Contents For any individual resource on a web server, the methodology for securing contents includes actions in terms of step to configure elementary authentication procedures. The first step would be to create a password file. The second step is to determine the configuration in order to obtain the file containing passwords i.e. the password file. Moreover, the first step is to determine valid user credentials, consisting of username and password. Likewise, the credentials provided by the user are matched successfully to a valid username and password lists. The password file is created on the server to validate legitimate user authentication mechanism. However, the password file is a delicate and confidential piece of information and must be stored outside of the document directory in order to eliminate any potential threats from hackers or viruses. For creating a password file, a utility names as â€Å"htpasswd† is executed. It is â€Å"htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users. If htpasswd cannot access a file, such as not being able to write to the output file or not being able to read the file in order to update it, it returns an error status and makes no changes† (Htpasswd - manage user files for basic authentication - apache HTTP server ). This utility is located in the â€Å"bin† directory of the Apache. For instance, it is available in /usr/local/apache/bin/htpasswd. However, for the creation of the file, certain commands are executed. For example, to create a password file these commands are executed: ‘htpasswd – c /user/local/apache/passwd/passwords username’ After executing the command, ‘htpasswd ’ will prompt the user for the password. Furthermore, after providing the password, the file is created. In order to add a new user to the password list, following command is executed: ‘htpasswd /usr/local/apache/passwd/passwords testuser’ This command will add this user credentials to the password file. In addition, the user name, named as ‘testuser’ is already created earlier on the webserver. After the creation of the password file, Apache configuration is conducted with the required directives. The directives are located in an ‘.htaccess’ file, on a particular directory associated with server configuration. Web Contents Prevention In order to maintain a sophisticated web server, web content prevention is essential to ensure the safety of web contents available on the web server. Apache ‘digest authentication’ is made for this purpose. It is a â€Å"method of authentication in which a request from a potential user is received by a network server and then sent to a domain controller† (What is digest authentication? - definition from whatis.com ). The command ‘digest authentication’ is executed on the module named as ‘mod_auth_digest’. This utility will never transmit the passwords across the network. In fact, these files are transmitted via MD5 digested passwords, eliminating attacks such as sniffing the network traffic for passwords. There are some steps incorporated in order to accomplish this utility from the Apache web server. Likewise, the configuration for digest auth entication is quite similar to the basis authentication. The first step involves the creation of a password file. The command executed for the creation

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.