Show Contents Previous Page Next Page Chapter 6 - Authentication and Authorization In this section...
The Secure Sockets Layer (SSL) is a widely used protocol for encrypting Internet transmissions. It was originally introduced by Netscape for use with its browser and server products and has been adapted by the Internet Engineering Task Force (IETF) for use in its standard Transport Layer Security (TLS) protocol. When an SSL-enabled browser talks to an SSL-enabled server, they exchange cryptographic certificates and authenticate each other using secure credentials known as digital certificates. They then set up an encrypted channel with which to exchange information. Everything that the browser sends to the server is encrypted, including the requested URI, cookies, and the contents of fill-out forms, and everything that the server returns to the browser is encrypted as well. For the purposes of authentication and authorization, SSL can be used in two ways. One option is to combine SSL encryption with Basic authentication. The Basic authentication protocol continues to work exactly as described in the previous section, but now the user's password is protected from interception because it is part of the encrypted data stream. This option is simple and doesn't require any code changes. The other option is to use the browser's digital certificate for authorization. The server automatically attempts to authenticate the browser's digital certificate when it first sets up the SSL connection. If it can't, the SSL connection is refused. If you wish, you can use the information provided in the browser's certificate to decide whether this user is authorized to access the requested URI. In addition to the user's name, digital certificates contain a variety of standard fields and any number of optional ones; your code is free to use any of these fields to decide whether the user is authorized. The main advantage of the digital certificate solution is that it eliminates the problems associated with passwords--users forgetting them or, conversely, choosing ones that are too easy to guess. The main disadvantage is that most users don't use digital certificates. On most of the public Web, authentication is one-way only. The server authenticates itself to the browser, but not vice-versa. Therefore, authentication by digital certificate is only suitable in intranet environments where the company issues certificates to its employees as a condition of their accessing internal web servers. There are several SSL-enabled versions of Apache, and there will probably be more in the future. Each offers a different combination of price, features, and support. The current list follows: Open-source (free) versions:
Commercial versions:
Copyright © 1999 by O'Reilly & Associates, Inc. |
