Simple remote authentication

2 Message(s) by 2 Author(s) originally posted in java security

From: hacka

Date: Sunday, February 11, 2007

Hello,
I need to implement a simple login / password

<security> An arbitrary string of characters chosen by a user
	or {system administrator} and used to authenticate the user
	when he attempts to log on, in order to prevent unauthorised
	access to his account.

	A favourite activity among unimaginative {computer nerds} and
	{crackers} is writing programs which attempt to discover
	passwords by using lists of commonly chosen passwords such as
	people's names (spelled forward or backward).  It is
	recommended that to defeat such methods passwords use a
	mixture of upper and lower case letters or digits and avoid
	proper names and real words.  If you have trouble remembering
	random strings of characters, make up an acronym like
	"ihGr8trmP" ("I have great trouble remembering my password").

	(1994-10-27)

authentication

<security> The verification of the identity of a person or
	process.  In a communication system, authentication verifies
	that messages really come from their stated source, like the
	signature on a (paper) letter.

	(2001-03-16)

for my
client

<programming> A computer system or process that requests a
	service of another computer system or process (a "{server}")
	using some kind of {protocol} and accepts the server's
	responses.  A client is part of a {client-server} software
	architecture.

	For example, a {workstation} requesting the contents of a file
	from a {file server} is a client of the file server.

	(1997-10-27)

-server

1. A program which provides some service to other ({client})
	programs.  The connection between client and server is
	normally by means of {message passing}, often over a
	{network}, and uses some {protocol} to encode the client's
	requests and the server's responses.  The server may run
	continuously (as a {daemon}), waiting for requests to arrive
	or it may be invoked by some higher level daemon which
	controls a number of specific servers ({inetd} on {Unix}).

	There are many servers associated with the {Internet}, such as
	those for {HTTP}, {Network File System}, {Network Information
	Service} (NIS), {Domain Name System} (DNS), {FTP}, {news},
	{finger}, {Network Time Protocol}.  On Unix, a long list can
	be found in /etc/services or in the {NIS} database "services".
	See {client-server}.

	2. A computer which provides some service for other computers
	connected to it via a network.  The most common example is a
	{file server} which has a local disk and services requests
	from remote clients to read and write files on that disk,
	often using {Sun}'s {Network File System} (NFS) {protocol} or
	{Novell Netware} on {PCs}.  Another common example is a {web
	server}.

	[{Jargon File}]

	(2003-12-29)

application

1. {application program}.

	2. {function application}.

, preferably some kind of challenge-response
protocol. I'd like to use an existing solution

<jargon> A {marketroid} term for something he wants to sell
	you without bothering you with the often dizzying distinctions
	between {hardware}, {software}, {services}, {applications},
	{file formats}, companies, brand names and {operating
	systems}.

	"{Flash} is a perfect image-streaming solution."  "What is
	it?"  "Um...  about a thousand dollars."

	See also: {technology}.

	(1998-07-07)

(SASL

1. <language> {Single ASsignment Language}.

	2. {Simple Authentication and Security Layer}.

	(2001-08-24)

+ CRAM-MD5?),
but I am a bit

<unit> (b) {binary} digit.

	The unit of information; the amount of information obtained by
	asking a yes-or-no question; a computational quantity that can
	take on one of two values, such as false and true or 0 and 1;
	the smallest unit of storage - sufficient to hold one bit.

	A bit is said to be "set" if its value is true or 1, and
	"reset" or "clear" if its value is false or 0.  One speaks of
	setting and clearing bits.  To {toggle} or "invert" a bit is
	to change it, either from 0 to 1 or from 1 to 0.

	The term "bit" first appeared in print in the computer-science
	sense in 1949, and seems to have been coined by the eminent
	statistician, {John Tukey}.  Tukey records that it evolved
	over a lunch table as a handier alternative to "bigit" or
	"binit".

	See also {flag}, {trit}, {mode bit}, {byte}, {word}.

	[{Jargon File}]

	(2002-01-22)

overwhelmed by all the API's (SASL, JAAS etc.) and
really I need something simple. What'd you recommend?

Regards,
Mike.

From: Ralf Ullrich

Date: Sunday, February 11, 2007

wrote in message:

Hello,
I need to implement a simple login / password authentication for my
client-server application, preferably some kind of challenge-response
protocol. I'd like to use an existing solution (SASL + CRAM-MD5?),
but I am a bit overwhelmed by all the API's (SASL, JAAS etc.) and
really I need something simple. What'd you recommend?
Regards,
Mike.

Using SASL is actually quite simple and straightforward. You've to
create a SaslClient (sc) on your client side, and a SaslServer (ss) on
your server side. Then on both sides you've to write

1. <chat> {Unix}'s simple {talk} command and {protocol}.
	write has been largely superseded by {talk} and then {irc}.

	An enhancement, {RWP}, has been proposed.

	2. <tool> A simple {text editor} for {Windows}.

	(1998-04-28)

a loop

<programming> A sequence of {instructions} that the
	{processor} repeats, either until some condition is met, or
	indefinitely.

	In an {structured language} (e.g. {C}, {Pascal}, {BASIC}, or
	{Fortran}), a loop is usually achieved with {for loop}, {while
	loop} or {repeat loop} constructs.

	In other languages these constructs may be synthesised with a
	{jump} ({assembly language}) or a {GOTO} (early Fortran or
	BASIC).

	(1999-05-06)

that is
controlled by the sc/ss object. During this loop the callback

1. <programming> A scheme used in {event-driven} programs
	where the program registers a {subroutine} (a "callback
	handler") to handle a certain {event}.  The program does not
	call the handler directly but when the event occurs, the
	{run-time system} calls the handler, usually passing it
	arguments to describe the event.

	2. <communications, security> A {user authentication} scheme
	used by some computers running {dial-up} services.  The user
	dials in to the computer and gives his {user name} and
	{password}.  The computer then hangs up the connection and
	uses an {auto-dial} {modem} to call back to the user's
	registered telephone number.  Thus, if an unauthorised person
	discovers a user's password, the callback will go, not to him,
	but to the owner of that login who will then know that his
	account is under attack.

	However, some {PABXs} can be fooled into thinking that the
	caller has hung up by sending them a dial tone.  When the
	computer tries to call out on the same line it is not actually
	dialing through to the authorised user but is still connected
	to the original caller.

	3. <communications> {cost control callback}.

	(2003-07-13)

handler,
that you provided when creating the Sasl* objects will receive callbacks.
After the loop finishes, you'll know wether the authentication was
successful or not.

All you need to know to successfully use SASL is described here:

JAVA SASL Programming Guide -
http://JAVA.sun.com/JAVAse/6/docs/technotes/guides/security/sasl/sasl-refguide.html

Ah, and one thing I should mention: you've to define the messages in
your application protocol, that will encapsulate the SASL-messages to be
exchanged. This is only indicated in the above guide through "send(...)"
and "msg.receive()" calls. If you need an idea how to do this, look into
the RFCs regarding the use of SASL in SMTP

<messaging> (SMTP) A {protocol} defined in {STD} 10, {RFC}
	821, used to transfer {electronic mail} between computers,
	usually over {Ethernet}.  It is a server to server protocol,
	so other protocols are used to access the messages.  The SMTP
	dialog usually happens in the background under the control of
	the {message transfer agent}, e.g. {sendmail} but it is
	possible to interact with an SMTP server using {telnet} to
	connect to the normal SMTP {port}, 25.  E.g.

		telnet mhs-relay.ac.uk 25

	You should normally start by identifying the local {host}:

		HELO wombat.doc.ic.ac.uk

	You can then issue commands to verify an address or expand an
	alias:

		VRFY fred@doc.ic.ac.uk
		VRFY postmaster

	or expand a {mailing list}:

		EXPN c-help

	You can even send a message:

		MAIL From:<fred@doc.ic.ac.uk>
		RCPT To:<fred@mailway.doc.ic.ac.uk>
		DATA
		What is the point?
		.
		QUIT

	This is useful if you want to find out exactly what is
	happening to your message at a certain point.

	See also {Post Office Protocol}, {RFC 822}, {sendmail}.

	(1995-10-17)

or NNTP

<messaging> {Network News Transfer Protocol}.

	(1996-02-26)

(Sorry too lazy to look
'em up for you). However it's quite easy, just define messages, that can
transport some binary

1. <mathematics> {Base} two.  A number representation
	consisting of zeros and ones used by practically all computers
	because of its ease of implementation using digital
	electronics and {Boolean algebra}.

	2. <file format> {binary file}.

	3. <programming> A description of an {operator} which takes
	two {arguments}.  See also {unary}, {ternary}.

	(2005-02-21)

data

<data, data processing, jargon> /day't*/ (Or "raw data")
	Numbers, {characters}, {images}, or other method of recording,
	in a form which can be assessed by a human or (especially)
	input into a {computer}, stored and {processed} there, or
	transmitted on some {digital channel}.  Computers nearly
	always represent data in {binary}.

	Data on its own has no meaning, only when interpreted by some
	kind of {data processing system} does it take on meaning and
	become {information}.

	People or computers can find patterns in data to perceive
	information, and information can be used to enhance
	{knowledge}.  Since knowledge is prerequisite to wisdom, we
	always want more data and information.  But, as modern
	societies verge on {information overload}, we especially need
	better ways to find patterns.

	1234567.89 is data.

	"Your bank balance has jumped 8087% to $1234567.89" is
	information.

	"Nobody owes me that much money" is knowledge.

	"I'd better talk to the bank before I spend it, because of
	what has happened to other people" is wisdom.

	(1999-04-30)

(the SASL data), and have an associated status
of Continue, Success or Error. (Just look at the "send(...)" calls in the
guide, and you will know what types of messages you need.

cu

Next Message: Need help of providers for RC2 encrypt/decrypt

Blogs related to Simple remote authentication

java faqs
EEJB was originally designed around remote invocation using the Java Remote Method Invocation (RMI) mechanism, and later extended to support to standard CORBA transport for these calls using RMI/IIOP. This design allowed for maximum ...

Web-Centric Production Acceptance
Designing and implementing methods for remote user authentication and data encryption. Network Engineering Typical responsibilities of Network Engineering include:. Determining internal networking requirements, both for WAN's and LAN?s ...

Wicket Impressions, moving from Spring MVC / WebFlow
The old application was using the Acegi security framework. I started out retaining Acegi for authentication and co-existing with Wicket, which was easy. I soon realized that Wicket has a very simple authorization strategy and I was ...

Server 6.5 SP6 Abend
NLM Simple Authentication and Security Layer 3.1.2.0 20061014 Version 31200610.14 14 October 2006 Code Address: 951F3000h Length: 0000140Ch Data Address: 9557F000h Length: 00000090h LSL.MPM lsl Memory Protection Module ...

Flex Data Services and Tomcat Authentication - Part 2: Simple ...
In the dialog, look for the Configuration titled “Remote Java Application. Select it and click on the ‘New’ button. Select the Project to “flex-auth-webapp”, select the Connection Type to “Standard (Socket Attach)”. ...

How to implement your own Security provider with the Acegi framework.
Using eclipse we can configure a remote debug application:. The implementation of the Authentication interface used by Acegi is an instance of UsernamePasswordAuthenticationToken as we can see when debugging the application. ...