For present-day businesses, it is important to integrate a centralized service that functions for all user data. Implementation of appropriate central authentication service and authorization mechanism is an integral part of this. Designing of open source central authentication service includes the following:
- Clients (Web applications)
1. Understanding Terminology:
- Authentication – The term defines authentication as the mechanism whereby systems can identify users securely. It actually answers the query “Who is the User?”
- SSO (Single Sign-On) – is also a part of the authentication. The mechanism provides users with the power to sign-on once and receives a ‘free pass’ to all contributing resources. There is no need for any additional signs.
- Authorization – It is the process involving verification of the user having permission or role to access specific sections or resources.
- Secured Clients – Usually the a&a technique work against secured frameworks of a client such as Wicket Authentication, Apache Shiro, Spring security, etc.
2. The Secured Clients:
Spring Security – This is known to be a very popular and widely used one. It demands a good amount of XML configurations, especially when you wish to have more than a standard setup. Additionally, in case, you require support permissions, spring security cannot support it.
Apache Shiro – This is known to be the greatest product. It promises a straightforward configuration. One can also expect out of box permission support. The only issue is that the community of Shiro is very small. Also, the project is quite new.
3. The Solution:
a. Authentication Server:
CAS or Central Authentication Service is a great and totally open source project. It promises SSO solutions and support for open source central authentication service and perfectly supports popular protocols, including Auth, SAML, OpenID etc. Integrating CAS with an LDAP server will offer an authentication model and out of the box SSO.
CAS is super easy to extend when custom changes need to be made. The source code can be easily downloaded and customized the way you want it. The configuration of CAS is very easy and perfectly documented.
b. Secured Clients Framework
The choice should be based on various things such as client-based web application, popular and the community involved, etc.
4. Perfect Integration with CAS:
The service promises a smooth and easier integration with CAS.
5. Responsibilities of Authorization:
This may be quite tricky depending on a project requirement. A user can configure authorization flow in the following two ways:
5. Centralized Authorization:
Attributes are supported by CAS. This indicates that one can easily add additional attributes (permissions or roles) to the recurring response. It may be done through SAML. The process is simple and straightforward. The authorization will allow the user to choose and configure from the specific source to pull additional attributes such as Active Directory, Database, LDAP, etc.
It is a sophisticated solution that can deliver authentication and authorization roles/permissions for each user on request.
6. Decentralize Authorization:
It is possible to configure security via extending ‘user details’ interface. Thereafter, you need to allow each application to control authorization logic post successful authentication.