Introduction to main authentication methods for http resources (part 1)

Introduction

I’ve been very busy these last two years updating a proprietary web application (written in Java) to integrate it inside the Microsoft security systems (amongst other things) . Therefore I have had to dive into the different security mecanisms that can protect the http protocol and which are often encountered by the internet users. This article is certainly not exhaustive and is divided into few parts

Authentication and autorization

Before diving in the technical details, it’s important to make a quick reminder on the two fundamentals principles of the security:

Authentication and autorization

The authentication : The authentication is the method used to certify that an actor is really the one he claims to be.

The autorization : The autorization is the access control to resources granted on basis of the information gaiined from the authentication.

Authentication families

According to me, one can primarily organize the different HTTP authentication mecanisms following these criterias:

Scalar or Vectorial type & ISO level

Scalar and Vectorial authentications


– Scalar authentications are the ones which return one attribute. (For example : the BASIC authentication with a username and its password whose goal is to validate and transmit the username )


– Vectorial authentications are the ones which return more than one attribute (For example : the CLAIM BASED authentication mechanism whose goal is to validate and transmit user’s properties (for ex. email, niss,phone number,locality))

ISO level of authentication

The OSI model, well described in Wikipedia, describing/defining the network communication layering model, may also structure the http authentication mechanisms.

To be continued…

In the next posts, we’ll look into details at the following authentication mechanisms:

Basic authentication

Form authentication

Digest authentication

Certificate authentication

NTLM authentication

Kerberos authentication

Claim-based authentication