authorization
Authorization is the process of giving someone permission to do or have something. In multi-user computer systems, a system administrator defines for the system which users are allowed access to the system and what privileges of use (such as access to which file directories, hours of access, amount of allocated storage space, and so forth). Assuming that someone has logged in to a computer operating system or application, the system or application may want to identify what resources the user can be given during this session.
Thus, authorization is sometimes seen as both the preliminary setting up of permissions by a system administrator and the actual checking of the permission values that have been set up when a user is getting access.
Logically, authorization is preceded by authentication.
DeMilitarized Zone (DMZ)
A middle ground between an organization's trusted internal network and an untrusted, external network such as the Internet.
Enterprise JavaBeans (EJB)
A software component in Sun's Java EE platform, which provides a pure Java environment for developing and running distributed applications. EJBs inherently provide future scalability and also allow multiple user interfaces to be used.
Generic Security Service API (GSS-API)
A C API for distributed security services. Described in IETF RFC 2743.
Java Authentication and Authorization Service (JAAS)
A package that enables services to authenticate and enforce access controls upon users. It implements a Java version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization.
Java Cryptography Architecture (JCA)
An umbrella term from Sun for implementing security functions for the Java platform. It includes Sun's Java Security API as well as the Java Cryptography Extension (JCE), which adds more programming interfaces for encryption and key exchange. It also provides a
mechanism for adding third-party security packages such as algorithms and digital signatures into Java applications.
Java DataBase Connectivity (JDBC)
A programming interface that lets Java applications access a database via the SQL language. Since Java interpreters (Java Virtual Machines) are available for all major client platforms, this allows a platform-independent database application to be written.
Kerberized application
A software application that requires or performs Kerberos authentication.
Kerberos
Kerberos is a secure method for authenticating a request for a service in a computer network. Kerberos was developed in the Athena Project at the Massachusetts Institute of Technology (MIT). The name is taken from Greek mythology; Kerberos was a three-headed dog who guarded the gates of Hades. Kerberos lets a user request an encrypted “ticket” from an authentication process that can then be used to request a particular service from a server. The user's password does not have to pass through the network.
Lightweight Directory Access Protocol (LDAP)
A software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a
“lightweight” version of Directory Access Protocol (DAP), which is part of X.500, a standard for directory services in a network. Netscape includes it in its latest Communicator suite of products. Microsoft includes it as part of what it calls Active Directory in a number of products including Outlook Express. Novell's NetWare Directory Services interoperates with LDAP. Cisco also supports it in its networking products.
Secure Sockets Layer (SSL)
The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of message
transmission on the Internet. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. SSL is included as part of both the Microsoft and Netscape browsers and most Web server products. Developed by Netscape, SSL also gained the support of Microsoft and other Internet client/server developers, becoming the de
facto standard until evolving into Transport Layer Security
(TLS). The sockets part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer. SSL uses the public/private key encryption system from RSA, which also includes the use of a digital certificate.
Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
A GSSAPI mechanism that allows the secure negotiation of the mechanism to be used by two different GSSAPI implementations. In essence, SPNEGO defines a universal but separate mechanism, solely for the purpose of negotiating the use of other security mechanisms. SPNEGO itself does not define or provide authentication or data protection, although it can allow negotiators to determine if the negotiation has been subverted, once a mechanism is established.
Single Sign-On (SSO)
An authentication process in a client/server relationship where the user, or client, can enter one name and password and have access to more than one application or access to a number of resources within an enterprise. Single sign-on removes the need for the user to enter further authentications when switching between applications.
A
access policy files 13, 46, 55, 57, 59, 60, 62, 63, 64 Active Directory about 5–10 groups 2, 6–8, 46, 50, 51, 52, 53, 55, 58, 59
logon process
8scopes
7types
7VSJ
8 installation 18 LDAP integration 6 permissions 81Public Key Infrastructure (PKI) support 6
sites 2, 9
smartcard support 6 VSJ 10
Windows native credential cache 6 application server BEA WebLogic 48 authentication 2, 12, 13, 39, 40, 42, 43, 44, 46, 48, 51, 52, 54, 79, 80, 86, 88, 100, 111 basic 12, 20, 46, 48, 79, 97 Kerberos 79 NTLM 12, 19, 87, 99 PKI 6 smartcard 6 SPNEGO 12 user 21 Windows-integrated 18, 19, 20, 27, 28, 29, 51, 79, 80, 86, 95, 96, 99 B basic fallback 12, 20, 46, 78, 79, 80, 83, 86 BEA WebLogic 48 C client machine 18 browser 19 cookies 78, 79
credential cache, native Microsoft Windows 6
credential delegation 34, 42, 44
D
Denial of Service attack 78
deployment descriptor 38, 39, 40, 41, 47, 48, 49, 50, 52, 55, 56, 57, 59, 63, 94, 97 deployment risks 20, 21 replication interruptions 21 resource security 21 service unavailability 20 time sychronization 20
Domain Name Service (DNS) 16, 17
G
groups, Active Directory 6–8
I installation Active Directory 18 application server 18 client machine 18 Internet Explorer and SPNEGO 11 J jkinit 74 jklist 74 JKTools 74 examples 75 jkinit 74 jklist 74 jktutil 75 K Kerberos 3, 5 authentication 3, 4, 5, 79 LDAP integration 6 MIT 3, 4, 6, 45, 113
Privilege Attribute Certificates (PAC) 6
L
LDAP vii, 5, 6, 8, 51, 85, 111, 113 Active Directory integration 6 Kerberos integration 6 logging 41, 92 M maintenance 92, 93 account settings 92 logging 92
network policy changes 93 new users/groups 92 Microsoft Windows
credential cache, native 6 integrated authentication 18, 19, 20, 27, 28, 29, 51, 79, 80, 86, 95, 96, 99 MIT Kerberos 3, 4, 6, 45, 113 N NTLM 87, 88, 99 authentication 19, 87, 99 versions 88 NTLM authentication 12 P
PAC, see Privilege Attribute
Certificate (PAC)
permissions, Active Directory 81 PKI, see Public Key Infrastructure
(PKI)
Privilege Attribute Certificate (PAC) 6, 8, 51, 85, 100
Public Key Infrastructure (PKI) Active Directory, support in 6
R
RC4 100
S
SASL 85 smartcard
Active Directory, support in 6 SPNEGO 2, 12, 43, 44, 46, 79, 80, 87,
95, 100, 114 and Internet Explorer 11
T
Time synchronization service 17 troubleshooting
authentication 95, 96 AuthFilter 97
blank page, Internet Explorer 6 96 ConfigException 94, 97 credential delegation 101 CryptoException 93 debug information 101 DNS error 96 error 401 95 error 403 95, 100 error 500 93, 95 IIS delegation 101 integrity check failure 95 InvalidLicense 98 keytab 100 MIC-checking 101 no keytab entry 100 NTLM 99 ProtocolException 98 SecurityException 96 Servlet Error 94 ServletException 97 V VSJ about 2
Active Directory groups 8 Active Directory, and 10 deployment risks 20, 21 how it works 11, 13 installation requirements 16, 17, 18 logging 41 maintenance 92, 93 W
WAR, see Web Application aRchive Web Application aRchive 41, 55