Difference between revisions of "Orion/Security"

Revision as of 14:05, 11 January 2011

Authentication

Orion has an extensible authentication scheme that is provided by the server. A 401 response to any Orion service is accompanied by JavaScript in the response body that performs authentication. The script auth.js provides helper methods for handling authentication on the client side. These methods are inserted in client code wherever xhr calls to the server are made:

  dojo.xhrGet({
    ...
    error: function(response, ioArgs) {
      handleGetAuthenticationError(this, ioArgs); // <- helper method
      return response;
    }
  });

The example server currently provides support for Basic HTTP authentication, form-based authentication, and authentication using OpenID.

Authorization

Orion currently uses a simple authorization system based entirely on request URIs. User names are granted authorization for a given URI prefix, which allows GET/PUT/POST operations only any service or resource starting with that prefix. This model will be extended to support controlling what HTTP methods are supported for a given prefix, to allow for example read access without write access to a URI space.

Encryption

The Orion example server currently supports encrypted communication via HTTPS, as well as unencrypted HTTP communication.

Future Work

• Delegated authorization using OAuth, so other web services can have limited access to a set of orion services when approved by the user.
• Extended authorization model that support controlling what HTTP methods are supported for a given prefix.
• LDAP-based authentication