<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="http://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
Management API Security Token vs Per Node Authentication
</h3>
<span style="margin-bottom: 10px;">
modified by <a href="http://community.jboss.org/people/dlofthouse">Darran Lofthouse</a> in <i>JBoss AS7 Development</i> - <a href="http://community.jboss.org/docs/DOC-16584">View the full document</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><h1>Token vs Per Node Authentication</h1><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>For the security of the management APIs we can consider either replicating the authentication mechanism to each node or we can consider implementing a token mechanism where a client can obtain a token that they subsequently embed in each request that can be verified simply to identify the user.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The primary reason for considering this is that authentication can be a slow process when communicating with remote stores of users, if we are considering scenarios where users connect directly to nodes to retrieve runtime state as a perfromance gain we need to ensure that authentication does not erode that gain.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><h2>Per Node Authentication</h2><p>Here the management APIs will be secured so that the user can either authenticate by providing a username and password each time they connect or we will use their certificate used for the SSL connection to identify them.  </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><table border="1" cellpadding="3" cellspacing="0" class="jiveBorder" style="width: 100%; border: 1px solid #000000;"><tbody><tr><th align="center" style="background-color: #6690bc;; border: 1px solid #000000;background-color: #6690bc;" valign="middle"><span style="color: #ffffff;"><strong>Advantages</strong></span></th><th align="center" style="background-color: #6690bc;; border: 1px solid #000000;background-color: #6690bc;" valign="middle"><span style="color: #ffffff;"><strong>Disadvantages</strong></span></th></tr><tr><td style="border: 1px solid #000000;">Uses a form of authentication we have used regularly elsewhere.</td><td style="border: 1px solid #000000;">An authentication cache will be required on each node, domain wide invalidation requests will be required if any details of the users account changes.</td></tr><tr><td style="border: 1px solid #000000;">User can authenticate in the same way on any node.</td><td style="border: 1px solid #000000;">Performance hit requiring authentication to be performed on each node the user connect to.</td></tr><tr><td style="border: 1px solid #000000;">Uses standard authentication mechanisms at the protocol level e.g. BASIC</td><td style="border: 1px solid #000000;">Difficult to pass users identity to different nodes.</td></tr><tr><td style="border: 1px solid #000000;"><br/></td><td style="border: 1px solid #000000;"><br/></td></tr></tbody></table><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><h2>Token Authentication</h2><p>For this scenario the user will call some form of login operation on the master domain controller, this will perform normal authentication to verify the user and obtain their roles, a token will then be created that contains the users identity, their roles, a created time and an expiration time - this token will then be signed by the master domain controller.  On each subsequent request this token will be passed as a part of the request, the signature will be verified as will the two times and then the contained list of roles will be used.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><table border="1" cellpadding="3" cellspacing="0" class="jiveBorder" style="width: 100%; border: 1px solid #000000;"><tbody><tr><th align="center" style="background-color: #6690bc;; border: 1px solid #000000;background-color: #6690bc;" valign="middle"><span style="color: #ffffff;"><strong>Advantages</strong></span></th><th align="center" style="background-color: #6690bc;; border: 1px solid #000000;background-color: #6690bc;" valign="middle"><span style="color: #ffffff;"><strong>Disadvantages</strong></span></th></tr><tr><td style="border: 1px solid #000000;">Eliminates the need for an authentication cache as the token is the cache.</td><td style="border: 1px solid #000000;">Will be a new concept for JBoss AS</td></tr><tr><td style="border: 1px solid #000000;">Performance hit when token is created but after that any node can verify the token using certificates.</td><td style="border: 1px solid #000000;">Some form of revocation list will be required on each node.  i.e. Disallow all tokens for user X created before time Y.  (Only required for a comprimised account as for changes such as new roles they can just request a new token)</td></tr><tr><td style="border: 1px solid #000000;">Have a simple artefact that can be passed from node to node to transfer clients identity.</td><td style="border: 1px solid #000000;">User potentially needs to authenticare on master DC first - although we could have slave DC signed tokens for requests only against that DC.</td></tr><tr><td style="border: 1px solid #000000;"><br/></td><td style="border: 1px solid #000000;">Passing the token would be outside of the standard authentication mechanisms at the protocol level.</td></tr></tbody></table></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Comment by <a href="http://community.jboss.org/docs/DOC-16584">going to Community</a></p>
<p style="margin: 0;">Create a new document in JBoss AS7 Development at <a href="http://community.jboss.org/choose-container!input.jspa?contentType=102&containerType=14&container=2225">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>