Authentication for Web Applications

Authentication is intended to ensure that users (or computers) accessing the system or application are who they purport to be. Authentication systems range in strength from simple user and password validation to transaction signing.

Authentication helps to secure web applications by:

Associating a system identity with a user by means of a credential
Providing authentication controls based on the application’s risk
Preventing attackers from accessing methods to attack the authentication system.

Authentication is only as strong as your user management process. You should choose an authentication system appropriate to the value of your information or application. For example:

Simple username and password validation is suitable for low value systems
SMS challenge and response exchanges can be used in low value e-commerce systems
Transaction signing is suitable for high value systems such as banking and trading systems.

Basic and Digest Authentication

Basic authentication sends the credentials in clear text format, so it should only be used in combination with HTTPS.

Note: If you switch to HTTP after doing HTTPS authentication, the user name and password will be transmitted in clear text with each request subsequent request.

An alternative to basic authentication is HTTP 1.0 digest authentication. It only obfuscates the password, making it possible to retrieve the password, so it should not be used.

HTTP 1.1 digest authentication makes use of a challenge response mechanism, which is reasonably safe for low value applications. For more information, see Authentication for Uniface Web Applications and HTTPS Protocol.

Note: Tomcat, the web server provided with Uniface, supports basic and digest authentication. For additional information about this subject and alternative authentication realms, consult the Tomcat documentation. (tomcat.apache.org)

Threats

Threats posed to authentication systems include: