Nigel Chapman - Authentication and Authorization on the Web

Authentication and
Authorization on the Web

Nigel Chapman and Jenny Chapman

The short books in the Web Security Topics series have been designed to provide Web developers with the essential practical information they need to protect their applications against attack in the increasingly hostile world of the modern Internet. Each book focuses on a specific area of interest.

Security has become an issue that no Web developer can afford to ignore. Scarcely a week goes past without news of a break-in occurring at some high-profile Web site. Sometimes the result is just a temporary loss of service, but all too often passwords, personal information and credit card details are stolen. Only the attacks on well-known sites reach the news, but there are countless other unreported attacks on smaller sites which, although not newsworthy, are nevertheless of great importance to the small businesses that own them, to their customers, and to the developers responsible for building and maintaining those sites.

Most books on Web security are aimed not at working developers but at security specialists and professional security consultants. Those books are dedicated to examining the intricacies of particular forms of attack, to the extent that it sometimes seems as though they are manuals for potential attackers. We have therefore written this series of short books to focus specifically on the areas of interest to Web developers. We describe and explain only what developers need to know in order to defend their own applications against attack, leaving more time free for the creation of exciting and useful Web applications.

In this book we are concerned with ensuring that the resources managed by an application are protected so that they can only be manipulated by the users and programs entitled to do so. Conventionally, this is achieved by setting up user accounts protected by passwords and requiring users to log in, so we begin by describing how user accounts can be maintained and how passwords can be kept safe and secure. We go on to consider authentication, which is the process of verifying the identity of a user sending a request. This is usually done by requiring the user to provide their correct password when they log in, and by using cookies to remember their identity and associate it with subsequent requests, although we also consider some alternative arrangements.

It is a relatively simple matter to identify the owner of each resource and assign roles to users. A system of authorization can then be implemented to ensure that each request from a user will only be honoured by the application if their role gives them the necessary privileges to perform the requested operation on the resource identified in the requests URL.

We have developed a simple Web application, using the Express framework, as an example which runs throughout the book. Code extracts from this application are used to illustrate each principle as it is introduced. The application is written in JavaScript, a language which should be familiar to all Web developers. Some of the more advanced JavaScript programming techniques in our examples, and the use of Express and Node.js to create a JavaScript application that runs outside a browser, may perhaps be less familiar. A free short tutorial on these subjects is provided on the series companion Web site at www.websecuritytopics.info. The code for the examples is also available for free download visit the companion site for details of how to obtain it.

In order to humanize what can be a dry subject, we have adapted the characters of Abelardo and his beloved Lady Gwendolen, who we found in our collection of obscure older films. Together with their associates, the pair feature in all the books in the Web Security Topics series. It seemed appropriate to place these characters in Freedonia, a country that also belongs in the movie archives, and has the advantage of a country TLD, .fd, which is not actually assigned in reality. Where it matters, we have tested examples using .fd domain names on a specially configured local server. Abelardo and friends are expert tiddlywinks players. We may have made up the characters, but the tiddlywinks jargon they sometimes employ is authentic.

This book includes a full glossary of the (non-tiddlywinks) technical terms which are used in the text. The first significant occurrence of each term defined in the glossary is printed in bold italics .

The companion Web site for all the books in the Web Security Topics series provides further information, useful links and supporting material. Visit the site at www.websecuritytopics.info.

The fact that some examples in this book refer to the code sharing service Github should not be taken as an endorsement of Githubs services by the authors or publisher, nor as an endorsement of this text by Github.

Important Disclaimer

The example code in this book is provided solely for the purposes of illustrating some principles and techniques of authentication and authorization. It is not intended for serious use in sensitive applications. Neither the publisher nor the authors shall be liable for any consequence arising from the use of program code in this book for any purpose other than illustration of general principles in the context of learning.