Jump to: navigation, search

Difference between revisions of "Orion/Security"

(New page: == Authentication == Orion has an extensible authentication scheme that is provided by the server. A 401 response to any Orion service is accompanied by JavaScript in the response body th...)
 
m
 
(4 intermediate revisions by 4 users not shown)
Line 3: Line 3:
 
Orion has an extensible authentication scheme that is provided by the server. A 401 response to any Orion service is accompanied by JavaScript in the response body that performs authentication. The script <tt>auth.js</tt> provides helper methods for handling authentication on the client side. These methods are inserted in client code wherever xhr calls to the server are made:
 
Orion has an extensible authentication scheme that is provided by the server. A 401 response to any Orion service is accompanied by JavaScript in the response body that performs authentication. The script <tt>auth.js</tt> provides helper methods for handling authentication on the client side. These methods are inserted in client code wherever xhr calls to the server are made:
  
 +
<source lang="javascript">
 
   dojo.xhrGet({
 
   dojo.xhrGet({
 
     ...
 
     ...
 
     error: function(response, ioArgs) {
 
     error: function(response, ioArgs) {
       '''handleGetAuthenticationError(this, ioArgs);'''
+
       handleGetAuthenticationError(this, ioArgs); // <- helper method
 
       return response;
 
       return response;
 
     }
 
     }
 
   });
 
   });
 +
</source>
  
 
The example server currently provides support for [http://en.wikipedia.org/wiki/Basic_access_authentication Basic HTTP authentication], [http://en.wikipedia.org/wiki/Form-based_authentication form-based authentication], and authentication using [http://openid.net/ OpenID].
 
The example server currently provides support for [http://en.wikipedia.org/wiki/Basic_access_authentication Basic HTTP authentication], [http://en.wikipedia.org/wiki/Form-based_authentication form-based authentication], and authentication using [http://openid.net/ OpenID].
Line 15: Line 17:
 
== Authorization ==
 
== Authorization ==
  
Orion currently uses a simple authorization system based entirely on request URIs. User names are granted authorization for a given URI prefix, which allows GET/PUT/POST operations only any service or resource starting with that prefix. This model will be extended to support controlling what HTTP methods are supported for a given prefix, to allow for example read access without write access to a URI space.
+
Orion currently uses a simple authorization system based entirely on request URIs. User names are granted authorization for a given URI prefix, which allows GET/PUT/POST operations on any service or resource starting with that prefix. This model will be extended to support controlling what HTTP methods are supported for a given prefix, to allow for example read access without write access to a URI space.
  
 
== Encryption ==
 
== Encryption ==
  
 
The Orion example server currently supports encrypted communication via HTTPS, as well as unencrypted HTTP communication.
 
The Orion example server currently supports encrypted communication via HTTPS, as well as unencrypted HTTP communication.
 +
 +
== Persistence of User Data ==
 +
 +
Sensitive user information such as passwords are stored in an encrypted data store using [[Equinox]] Secure Preferences. This data is found in the server workspace (the location specified by the -data argument when starting the server). Within the workspace, the encrypted store is found at <workspaceLocation>/.metadata/.plugins/org.eclipse.orion.server.user.securestorage/user_store. This storage location is encrypted with a master password that is either provided by a native key store (Windows and Mac OS X), or via a password supplied by the "orion.storage.password" system property.
  
 
== Future Work ==
 
== Future Work ==
Line 26: Line 32:
 
* Extended authorization model that support controlling what HTTP methods are supported for a given prefix.
 
* Extended authorization model that support controlling what HTTP methods are supported for a given prefix.
 
* LDAP-based authentication
 
* LDAP-based authentication
 +
 +
[[Category:Orion|Security]]

Latest revision as of 12:02, 4 November 2011

Authentication

Orion has an extensible authentication scheme that is provided by the server. A 401 response to any Orion service is accompanied by JavaScript in the response body that performs authentication. The script auth.js provides helper methods for handling authentication on the client side. These methods are inserted in client code wherever xhr calls to the server are made:

  dojo.xhrGet({
    ...
    error: function(response, ioArgs) {
      handleGetAuthenticationError(this, ioArgs); // <- helper method
      return response;
    }
  });

The example server currently provides support for Basic HTTP authentication, form-based authentication, and authentication using OpenID.

Authorization

Orion currently uses a simple authorization system based entirely on request URIs. User names are granted authorization for a given URI prefix, which allows GET/PUT/POST operations on any service or resource starting with that prefix. This model will be extended to support controlling what HTTP methods are supported for a given prefix, to allow for example read access without write access to a URI space.

Encryption

The Orion example server currently supports encrypted communication via HTTPS, as well as unencrypted HTTP communication.

Persistence of User Data

Sensitive user information such as passwords are stored in an encrypted data store using Equinox Secure Preferences. This data is found in the server workspace (the location specified by the -data argument when starting the server). Within the workspace, the encrypted store is found at <workspaceLocation>/.metadata/.plugins/org.eclipse.orion.server.user.securestorage/user_store. This storage location is encrypted with a master password that is either provided by a native key store (Windows and Mac OS X), or via a password supplied by the "orion.storage.password" system property.

Future Work

  • Delegated authorization using OAuth, so other web services can have limited access to a set of orion services when approved by the user.
  • Extended authorization model that support controlling what HTTP methods are supported for a given prefix.
  • LDAP-based authentication