user authentication using the client principle object
play

User Authentication using the Client Principle Object Presented By: - PowerPoint PPT Presentation

May 03, 2023 •334 likes •697 views

User Authentication using the Client Principle Object Presented By: Chris Longo User Authentication using the Client Principle Object Agenda What is the Client Principal Object? Why is it useful? How do I implement the CP Object?

  1. User Authentication using the Client Principle Object Presented By: Chris Longo User Authentication using the Client Principle Object

  2. Agenda ● What is the Client Principal Object? ● Why is it useful? ● How do I implement the CP Object? User Authentication using the Client Principle Object

  3. Application Context ● Unique set information associated with a specific user's application session. ● UserID, PlantID, Session ● Effects: ● Authentication ● Authorization ● Query Filtering ● Conditional Processing User Authentication using the Client Principle Object

  4. Stateful App Environment ● User application sessions are uniquely bound to a single OpenEdge Client. ● Context persists on the OpenEdge Client ● Shared Vars ● Persistent procedures ● UserID() User Authentication using the Client Principle Object

  5. Stateless App Environment ● User application sessions share OpenEdge Clients. ● User Context must be re-establish with each OpenEdge Client Interaction. User Authentication using the Client Principle Object

  6. What is a Client Principal Object? ● Dynamic ABL Object ● Attribute / Methods ● Maintains a User's Identity ● UserID / Roles ● SessionID / Session Expiration ● Sets effective UserID() for a database. ● Does not authenticate UserID and Password User Authentication using the Client Principle Object

  7. Importance of a CP Object ● Establish User Context ● Maintaining a user's identity in a stateless environment. ● Used to maintain an identity authenticated using an external registry other then _User. ● Application specific user registry ● LDAP ● Auditing User Authentication using the Client Principle Object

  8. Establishing a User's Identity ● OpenEdge Client connect to a database: ● Authenticate using _User table ● Login.p ● Provide -U <userid> -P <passwd> ● Setuserid() UserID() functions provides identity context for the connected databases. User Authentication using the Client Principle Object

  9. Establishing a User's Identity ● Application Tables / External Registry ● Application specific code to Authenticate UserID and Password. ● May not have and effect on UserID value set for the the connected database. ● Use the CP Object to apply an application user's identity. User Authentication using the Client Principle Object

  10. AppServer/Webspeed Agents ● Client Session Identity is established as an agent connects to a database. ● Most likely at startup ● Agent is shared by many users but the Identity remains set to the UserID of the process that started the Agents. User Authentication using the Client Principle Object

  11. Session Context ● A User's Identity is part of application session context. ● Established between and client and an agent with each interaction. ● Need UserID function to recognize session context. ● Specifically a user's identity. User Authentication using the Client Principle Object

  12. CP Object ● The CP Object becomes part of a user's session context. ● It can be used to set the UserIDs of all connected databases at run-time User Authentication using the Client Principle Object

  13. Steps to Using CP Object ● Establish an Authentication Domain ● Create CP Object ● Assign three key attribute ● UserID ● Domain Name ● SessionID ● Seal CP Object ● Domain AccessKey ● Use It ● Set UserIDs for connected database User Authentication using the Client Principle Object

  14. Authentication Domains relationship with a CP Object ● Defined internally using the Data Admin Tool ● Alternately defined externally ● Provides encrypted key (access-key). ● Access-key used to seal and validate CP Objects. User Authentication using the Client Principle Object

  15. Authentication Domain Setup User Authentication using the Client Principle Object

  16. Security Policy ● An authentication domain must be loaded for a session. ● Security Policy system handle loads domains into the Trusted Domain Registry. security-policy:load-domain('dbName') ● – Domain Registry Locked Automatically security-policy:register-domain('DomainName, AccessKey) ● – security-policy:lock-registeration() User Authentication using the Client Principle Object

  17. Create CP Object CREATE CLIENT-PRINCIPAL hClientPrincipal. /* Set CP Object Values */ hClientPrincipal:SESSION-ID = BASE64-ENCODE(GENERATE-UUID). hClientPrincipal:USER-ID = pcUserID. hClientPrincipal:DOMAIN-NAME = 'bravepoint.com'. hClientPrincipal:DOMAIN-TYPE = 'Internal'. hClientPrincipal:LOGIN-EXPIRATION-TIMESTAMP = ADD-INTERVAL(NOW, 60, 'seconds'). hClientPrincipal:ROLES = pcRoles. hClientPrincipal:SET-PROPERTY('UserPlant', 'Norcross'). User Authentication using the Client Principle Object

  18. Authenticate User Identity IF Identity.IdentityKey <> ENCODE(pcPasswd) THEN DO: /* This will set the state-detail attribute */ hClientPrincipal:AUTHENTICATION-FAILED ('UserName Password authenitication failed.'). pcMessage = 'UserName Password authenitication failed.'. END. User Authentication using the Client Principle Object

  19. CP Object State ● LOGIN-STATE Attribute LOGIN ● LOGOUT ● EXPIRED ● FAILED ● ● AUTHENTICATION-FAILED() Used on an unsealed CP Object ● LOGIN-STATE is set to failed. ● STATE-DETAIL Attribute is set to the supplied reason. ● User Authentication using the Client Principle Object

  20. Seal CP Object The Domain Access Key was previously defined using the Data ● Admin tool or setup manually using register-domain(). hClientPrincipal:SEAL(cDomainAccessKey) User Authentication using the Client Principle Object

  21. Set DB Identity ● SET-DB-CLIENT will set the effective UserID for all connected databases or those explicitly specified. SET-DB-CLIENT(hClientPrincipal) User Authentication using the Client Principle Object

  22. CP Object Portability ● CP Object provides methods to import and export it's values. ● CP Object exports and imports from a raw data type. DEFINE VAR rCP AS RAW NO-UNDO. rCP = hClientPrincipal:EXPORT-PRINCIPAL(). User Authentication using the Client Principle Object

  23. CP Object and Session Context ● Alternative #1: ● Pass the raw CP Object as a parameter back to the client. – Client gets full access to all the CP Objects Attributes. – Raw data type might present issue with non ABL clients. – Security threat? User Authentication using the Client Principle Object

  24. CP Object and Session Context ● Alternative #2 ● Store the CP Object in a session context DB Table. – CPObject.SessionID AS CHARACTER – CPObject.ContextObject AS RAW ● Pass an encrypted token containing the associated sessionID back to the client. – SecureToken is used to reconstitute the CP Object each time a user interacts with an agent. – SecureToken is a character string. User Authentication using the Client Principle Object

  25. CP Object and Session Context /* Store the CP Object as part of a user's session context. */ rCP = hClientPrincipal:EXPORT-PRINCIPAL(). DO TRANSACTION: CREATE bCPObject. ASSIGN bCPObject.SessionID = hClientPrincipal:SESSION-ID bCPObject.ContextObject = rCP. END. User Authentication using the Client Principle Object

  26. CP Object Identity Authentication cSessionID = STRING(DECRYPT(BASE64-DECODE(pcSecToken), rEncryptKey)) NO-ERROR. /* Create an empty CP Object. */ CREATE CLIENT-PRINCIPAL hClientPrincipal. /* Find the session context row containing the previosuly saved CP Object Data. */ FIND bCPObject WHERE bCPObject.SessionID = cSessionID NO-LOCK NO-ERROR. IF NOT AVAIL bCPObject THEN UNDO, THROW NEW Progress.Lang.AppError('Unable to authenticate user. Could not find CPObject context.', 104). /* Load the CP Object. So you left with a CP Object as it existed after you sealed it during createCPObject. */ hClientPrincipal:IMPORT-PRINCIPAL(bCPObject.ContextObject). User Authentication using the Client Principle Object

  27. Validate CP Object ● VALIDATE-SEAL( domainKey ) ● Validates the CPObject's MAC, which was previously generated via the SEAL(). ● Must supply the DomainKey used to seal the CPObject. ● LOGOUT() ● In validates a sealed CP Object ● No longer use it to set DB UserIDs ● Sets the LOGIN-STATE to LOGOUT User Authentication using the Client Principle Object

  28. Validate CP Object hClientPrincipal:IMPORT-PRINCIPAL(bCPObject.ContextObject). IF NOT hClientPrincipal:VALIDATE-SEAL(cDomainAccessKey) THEN DO: hClientPrincipal:LOGOUT(). UNDO, THROW NEW Progress.Lang.AppError( SUBSTITUTE('CP Object Validation Failed. Login-State = &1', hClientPrincipal:LOGIN-STATE), 105). END. User Authentication using the Client Principle Object

  29. Session Expiration ● SEAL-TIMESTAMP ● Automatically set. ● Date and time of when the CP Object was sealed. ● LOGIN-EXPIRATION-TIMESTAMP ● Programmatically set to some point in the future. ● LOGIN-STATE set to 'Expired' if not sealed prior to the value set in this attribute. User Authentication using the Client Principle Object

  30. Session Expiration /* Check expiration */ IF hClientPrincipal:LOGIN-EXPIRATION-TIMESTAMP < NOW THEN DO: /* This will set the state-detail attribute */ hClientPrincipal:AUTHENTICATION-FAILED ('User Session Expired.'). hClientPrincipal:LOGOUT(). DO TRANSACTION: FIND CURRENT bCPObject EXCLUSIVE-LOCK. prCP = hClientPrincipal:EXPORT-PRINCIPAL(). bCPObject.ContextObject = prCP. END. END. User Authentication using the Client Principle Object

Recommend

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication After the Handshake The user navigates to the sites landing page, no client authentication required. Eventually, the user requests a

69 views • 6 slides
Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication

Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication

Chair of Network Architectures and Services TUM Department of Informatics Technical University of Munich (TUM) Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication Matthias Wachs, Quirin Scheitle, and

462 views • 14 slides
Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR CONSULTANTS www.XFactorConsultants.com User Authentication (Auth) The methods by which a web app verifies the identity of a user and limits their

334 views • 8 slides
CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID Connect. However, unlike OpenID Connect, there is direct Relying Party to OpenID Provider communication without redirects through the user's browser.

505 views • 17 slides
Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

573 views • 32 slides
Information Security Identification and authentication Advanced User Authentication I 2018-02-02

Information Security Identification and authentication Advanced User Authentication I 2018-02-02

Information Security Identification and authentication Advanced User Authentication I 2018-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

569 views • 41 slides
Information Security Identification and authentication Advanced User Authentication I 2016-01-26

Information Security Identification and authentication Advanced User Authentication I 2016-01-26

Information Security Identification and authentication Advanced User Authentication I 2016-01-26 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

866 views • 40 slides
User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we have (tokens) What we are (iris, fingerprint) [Accuracy vs. cost trade-off] Other USER AUTHENTICATION INKBLOT AUTHENTICATION Come up with

671 views • 20 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2019-02-08 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

1.19k views • 102 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2016-01-29 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

683 views • 44 slides
Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

5/25/2019 Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this Lecture 5/25/2019 Password Topic 3: User Authentication Password strength Salt_(cryptography) Password cracking

1.03k views • 75 slides
Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III 2016-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture II within this part of the course Background Statistics Statistics in user

1.49k views • 70 slides
User authentication on the web Joseph Bonneau

User authentication on the web Joseph Bonneau

User authentication on the web Joseph Bonneau Computer Laboratory Part II Security lecture 2012 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 1 / 41

1.72k views • 132 slides
Information Security Identification and authentication Advanced User Authentication II and III

Information Security Identification and authentication Advanced User Authentication II and III

Information Security Identification and authentication Advanced User Authentication II and III (somewhat abbreviated ) 2018-02-09 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background

1.24k views • 106 slides
Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant

Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant

Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant http://www.2ndquadrant.com/ 2017-02-05 Part I Authentication Why Authentication? Too complicated Nobody knows my database Nobody will attack us

813 views • 39 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User Authentication Authentication process Means of authentication Passwords Vulnerabilities of passwords Password Cracking Dictionary Attacks

472 views • 21 slides
Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password Validate password strength Store salted hash of the password Authentication User sends username/password Retrieve the stored salted

359 views • 20 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Challenge/Response Authentication Authentication by what questions you can answer correctly

Challenge/Response Authentication Authentication by what questions you can answer correctly

Challenge/Response Authentication Authentication by what questions you can answer correctly Again, by what you know The system asks the user to provide some information If its provided correctly, the user is authenticated

233 views • 20 slides
Integrating Legacy User Authentication with HIP Jani Hautakorpi (Jani.Hautakorpi@hut.fi) 1 / 11

Integrating Legacy User Authentication with HIP Jani Hautakorpi (Jani.Hautakorpi@hut.fi) 1 / 11

T-110.557 Research Seminar on Telecommunications Software Integrating Legacy User Authentication with HIP Jani Hautakorpi (Jani.Hautakorpi@hut.fi) 1 / 11 Contents HIP base exchange Selected legacy user authentication mechanisms:

241 views • 11 slides
Computer and Information Security Fall 2019 User Authentication and Access Control Tyler Bletsch

Computer and Information Security Fall 2019 User Authentication and Access Control Tyler Bletsch

ECE590 Computer and Information Security Fall 2019 User Authentication and Access Control Tyler Bletsch Duke University User Authentication Determining if a user is who they say they are before giving them access. 2 The four means of

1.02k views • 70 slides
Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch

Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 User Authentication and Access Control Tyler Bletsch Duke University User Authentication Determining if a user is who they say they are before giving them access. 2 The four means of

1.15k views • 70 slides

More recommend