A simple collaborative method in Web proxy access control for supporting complex authentication mechanisms

Modern authentication mechanisms, including Shibboleth and OAuth, provide user attributes such as affiliations and e-mail addresses. Conventional collaborative methods have problems using such attributes in egress access control for the Web. This paper proposes a new collaborative method using Web browsers, proxy servers, and authentication servers. The proposed method simplifies communications among these elements by using a trusted shared repository that stores user attributes. A new authentication mechanism can be added to the system by deploying an authentication server of the new authentication mechanism. This authentication server is a Web application and stores user attributes in a shared repository associated with the user identifiers. When proxy servers receive requests from Web browsers, the proxy servers retrieve user attributes from the shared repository and the proxy servers decide whether or not to allow access to external Web pages in accordance with the URLs and relevant user attributes. Unlike in a standard such as the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), neither Web browsers nor proxy servers are required to include extensions for authentication mechanisms. On the basis of the simple collaborative method, the authors have implemented an egress access control system for the Web that performs user authentication with Shibboleth and Facebook. The access control system has been operational in a university library for more than a year.

[1]  Nicholas Carriero,et al.  Coordination languages and their significance , 1992, CACM.

[2]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[3]  Nicholas Carriero,et al.  Coordination languages and their significance , 1992, CACM.

[4]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[5]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[6]  John Linn,et al.  Generic Security Service Application Program Interface , 1993, RFC.

[7]  Michael Atighetchi,et al.  Supporting Safe Content-Inspection of Web Traffic , 2008 .

[8]  T FieldingRoy,et al.  The Apache HTTP Server Project , 1997 .

[9]  Guido Appenzeller,et al.  User-friendly access control for public network ports , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[10]  S. Hadjiefthymiades,et al.  Hypertext Transfer Protocol (HTTP) , 1996 .

[11]  Jeffrey I. Schiller,et al.  An Authentication Service for Open Network Systems. In , 1998 .

[12]  Roy T. Fielding,et al.  The Apache HTTP Server Project , 1997, IEEE Internet Comput..

[13]  Kenzi Watanabe,et al.  Opengate on Cloud , 2012, 2012 26th International Conference on Advanced Information Networking and Applications Workshops.

[14]  Masatoshi Seki dRuby and Rinda: Implementation and Application of Distributed Ruby and its Parallel Coordination Mechanism , 2008, International Journal of Parallel Programming.

[15]  Anita J. Reed,et al.  Cookies and Web Bugs: What They are and How They Work Together , 2001, Inf. Syst. Manag..

[16]  David W. Chadwick,et al.  Role-Based Access Control With X.509 Attribute Certificates , 2003, IEEE Internet Comput..

[17]  Larry Zhu,et al.  SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows , 2006, RFC.

[18]  Eran Hammer-Lahav,et al.  The OAuth 1.0 Protocol , 2010, RFC.

[19]  Noritoshi Demizu,et al.  Design and Implementation of Web Forward Proxy with Shibboleth Authentication , 2011, 2011 IEEE/IPSJ International Symposium on Applications and the Internet.

[20]  Lujo Bauer,et al.  A General and Flexible Access-Control System for the Web , 2002, USENIX Security Symposium.

[21]  Paul J. Leach,et al.  The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism , 2005, RFC.

[22]  David W. Chadwick,et al.  Development of a Flexible PERMIS Authorisation Module for Shibboleth and Apache Server , 2005, EuroPKI.

[23]  Yasushi Shinjo,et al.  Name-Level Approach for Egress Network Access Control , 2005, ICN.

[24]  Gail-Joon Ahn,et al.  Role-based access control on the web , 2001, TSEC.

[25]  Peter Honeyman,et al.  Kerberized Credential Translation: A Solution to Web Access Control , 2001, USENIX Security Symposium.

[26]  David M. Kristol,et al.  HTTP State Management Mechanism , 1997, RFC.

[27]  Jeff Hodges,et al.  Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0 , 2001 .

[28]  Thomas Narten,et al.  Privacy Extensions for Stateless Address Autoconfiguration in IPv6 , 2001, RFC.