Java Reference
In-Depth Information
What the user knows
: his is a very common factor of authentication. he user is authenti-
cated into a system based on what he/she knows. For instance, a user knows his/her pass-
word or PIN and, therefore, can gain access to the system and its resources.
What the user has
: his is a popular factor of authentication, which is used for systems
requiring a higher level of security like banking. his factor of authentication relies on a
device or widget that a user possesses to authenticate into the system. For instance, a user
has a token that generates a random number every 10 seconds, which the user can use to
authenticate into a system. Another example would be a USB dongle, which a user can
insert into the system, and the system authenticates the user, based on the data contained
in the USB dongle.
What the user is
: his factor of authentication has also gained popularity in the commercial
world and in defense organizations. his factor of authentication relies on a physical attri-
bute of the user to grant him/her access to the system. his is also popularly referred to as
biometrics access control
. For instance, ingerprint readers are used to scan user ingerprints
and if the ingerprint provided by the user matches the ingerprint enrolled in the database,
then the user is authenticated into the system. Retina scans are another form of biometric
access control.
Where the user is
: he fourth factor of authentication is based on where the user is at the point
in time when he/she is authenticating to a system. For instance, if the user is in a corporate
LAN, he/she will be able to access some of the shared resources made available to the LAN;
however, if the same user goes out of the corporate LAN to a cofee shop and attempts to
connect, he/she will be unable to.
It is important to note that some of these factors of authentication are used in conjunction
with others to provide a stronger level of authentication for users to gain access to a system. For
instance, a user in a corporate LAN will probably have to provide a password along with being
an enrolled user of the corporate LAN. Certain mission critical systems also require the use of a
two-factor authentication mechanism. Two-factor authentication utilizes two of the four factors of
authentication to provide access to the user into a system. For instance, a user of a sensitive bank-
ing application would use the unique password generated from his/her USB dongle and also enter
a password that he/she knows to gain access to the system. Another example would be the use of a
password with a ingerprint scan provided by the user to gain access to a system.
7.1.2.2 Authorization
Authorization is the process of giving someone permission to do or have something. For instance,
a bank teller would not be able to view the human resources records and payroll records of the
bank because he/she is not authorized to view or edit them. Authorization is an important facets
of strong access control. he user is authenticated and gains access to the system; from then on,
the system should ensure that the user has access to only certain resources that are necessary for
the user. For instance, the ordinary user of an e-commerce application would be able to make
purchases on the e-commerce site. If he/she is able to create administrative users and edit inven-
tory information, then it would be poorly designed authorization for the e-commerce application.
Authorization systems determine what the user can view (read), edit (update), insert (create), and
delete in a system. We will delve into authorization systems for Java Web applications during the
course of this chapter.
Search WWH ::
Custom Search