Hierarchical Authentication System

rangaleclickSoftware and s/w Development

Nov 4, 2013 (3 years and 11 months ago)

50 views

Hierarchical Authentication System

Design Specification


By Authors:


Bryson Hepler

Tom Ireland

Venkat Kannan

Samir Karande

Aparna Lagu




October 14, 2002

Release 1.0


Revision History

Date

Rev

Description of Change

Originator

10
-
09
-
2002

Draft A,1

Ini
tial version of draft

Samir Karande

10
-
12
-
2002

Draft A.2

Updated Sections

Venkat Kannan

10
-
12
-
2002

Draft A.3

Updated Spelling, added date, Added Names

Tom Ireland

10
-
12
-
2002

Draft A.5

Minor edit updates

Bryson Hepler

10
-
14
-
2002

Release
1.0

Updated wit
h review comments, updated with links to
related documents

Samir Karande


Table of Contents


Introduction

................................
................................
................................
.........................

3

Introduction

................................
................................
................................
.........................

3

Product Overview

................................
................................
................................
...........

3

Purpose and Scope of Document

................................
................................
....................

3

Definitions
................................
................................
................................
.......................

3

Related Documents

................................
................................
................................
.........

3

Product Requirements and Architectural Implications

................................
.......................

4

Functional Requi
rements

................................
................................
................................

4

Hardware Requirements and Performance Budgets

................................
.......................

4

Extensibility and Future Considerations

................................
................................
.........

4

System Architecture

................................
................................
................................
............

5

Software Architecture

................................
................................
................................
.....

6

Hardware Architecture

................................
................................
................................
....

6

Availability and Reliability

................................
................................
.............................

7

Design Description
................................
................................
................................
..............

8

Design Overview

................................
................................
................................
............

8

Design Rationale

................................
................................
................................
.............

8

Diagram of Interconnection of Principal Objects

................................
...........................

9

Functional Capabilities

................................
................................
................................
.....

10

Normal Pathways

................................
................................
................................
..........

10

Error Detection and Recovery

................................
................................
......................

10

Peak Load Handling

................................
................................
................................
......

10

Performance, Capacity and Control Considerations

................................
.....................

10

Interfaces

................................
................................
................................
...........................

11

Support
ing Subsystems

................................
................................
................................
.

11

External Interfaces

................................
................................
................................
........

11

Release Support

................................
................................
................................
................

12

Upgrade an
d Rollback
................................
................................
................................
...

12

Installation
................................
................................
................................
.....................

12

Startup

................................
................................
................................
...........................

12

Shutdown

................................
................................
................................
......................

12


Table of Figures

Figure 1: Architecture for Web
-
based applications: Hierarchical Authentication System

...........................

5

Figu
re 2: Software Architecture

................................
................................
................................
....................

6

Figure 3: Protection Proxy: Conceptual protection offering

................................
................................
.........

9

Figure 4: Protection Proxy: More insight
into implementation details

................................
.........................

9

Introduction

This document describes the High Level Design of Hierarchical Authentication
System.

Product Overview

Hierarchical Authentication System shall implement a authentication system in
w
hich users shall be granted access to the available information depending on the
available access rights to the user. The authentication system shall implement
data encapsulation/security by protecting it from unauthorized access and shall
also provide pr
ivileged access to the users with the right set of access
permissions.

Purpose and Scope of Document

This document describes the architecture and high
-
level design of the
Hierarchical Authentication System. The document may be useful to architects,
develo
pers and project management.

Definitions

Acronym

Definition

Client

Browser Application

Web/Internet

World Wide Web

Web Server

A program that responds to Web Requests

User

A person wishing to use a program

System

Hierarchical Authentication System

Rel
ated Documents

The following documents are referenced in and are applicable to this Design
Specification:

Title

Link

Project Plan

http://groups.yahoo.com/group/608A/files/ProjectPlanV6.rtf

Use Cases

http://groups.yahoo.com/group/608A/files/usecases_Relea
se
-
1.0.doc

Functional
specifications

http://groups.yahoo.com/group/608A/files/functspec_Release
1.0.doc







Product Requirements and Architectural Implications

The Hierarchical Authentication System shall develop a framework that
may be useful in im
plementing the data security and privileged access
mechanism for virtually any suit of applications, web pages, databases etc.

Functional Requirements


The system must have

1.

Capability of defining hierarchies for privileged access

2.

Capability of assigning t
he access privileges to individual users or group

3.

Capability for validating access privileges against the required access
permissions before giving access to the requested data to the user

4.

Capability of changing the access privileges for individual users o
r group

5.

Capability of preventing any unauthorized access to the data, applications,
web pages etc.

Hardware Requirements and Performance Budgets



Windows NT Server 4.0 or Later



Java enabled Web Server



Internet connectivity



Firewall



CPU
-

Uni
-
processor Inte
l Pentium Processor 500 MHz or better



Memory


64 Mega Bytes or more



Hard Drive


8 Giga Bytes or more (depending on the application)



Performance Budget: Not Applicable

Extensibility and Future Considerations

The Hierarchical Authentication System shall d
evelop a framework that
may be useful in implementing the data security and privileged access
mechanism for virtually any suit of applications, web pages, databases etc. The
system or the framework could be used in multiple ways as required by the target
d
omain application. For example, the Human Resource Department of a
company can use it for securing its database as well as applications that work on
that data. Another example could be protecting the corporate intranet by
providing access to the web
-
pages
only to the privileged users.


The framework shall be extensible for adding more complex privilege
hierarchies and suitable authentication process.

System Architecture
























Figure 1: Architecture for Web
-
based applications: Hierarchical

Authentication System



Internet

Users

F

I

R

E

W

A

L

L




Web Server

Authentication System servlets

XML Parser

System Properties

Authentication System objects

Windows OS

JDBC Calls

DATABASE

Stored

Procs

Client

Table
s

DB Conn
ection Pools


Software Architecture












Figure 2: Software Architecture




As depicted in the Figure 2 above, the user request for data access are
submitted to the Façade subsystem. In absence of Hierarchical Authentication
s
ystem, the user request would directly go to the Data repository subsystem. But,
once Hierarchical Authentication is in place, all the user requests for data would
go through Protection Proxy Subsystem. The protection proxy subsystem is
responsible for aut
henticating the user requests. It would determine the privilege
access for the user and if those privileges are enough to access the requested data.
If yes, then the user request would be forwarded to the Data repository
subsystem. Otherwise, protection pr
oxy would reply back to the user request with
the appropriate error message.



Once the user is authenticated, all subsequent data requests for the data
that belongs to the same access privilege level can directly go to Data repository
subsystem. This is a
n optimization feature of better performance.


For more information on Protection Proxy, please see section Proxy, page 207
-
210 of
Design Patterns book By Erich Gamma.

Hardware Architecture

he Hierarchical Authentication System shall be deployable in a
dis
tributed setup as well as in a stand
-
along setup. The software
components/subsystems should support this requirement.

Once authenticated,
Facade layer can
access data directly

Protection
Proxy

Data
repository

User request
for data access

Faç
ade
layer

Protection proxy provides
the authentication

The distributed setup shall be required in web
-
based systems and the
architecture should support the stand
-
alone setup that might be requ
ired in some
application domains.


Availability and Reliability

In this phase, the Hierarchical Authentication System would not support
High Availability and High Reliability. In future, the system may support High
Availability and High Reliability.


De
sign Description

Hierarchical Authentication System shall provide a framework for any
software system that would like to incorporate the authentication process defined
by this framework. The software system can turn on and off the authentication
just by ch
anging the configuring parameters without any code changes.


The Hierarchical Authentication System shall provide mechanism for
defining the levels or Hierarchies of access privileges and shall support assigning
various access rights to individual users o
r groups.

Design Overview

Hierarchical Authentication System shall implement the authentication
mechanism by using the “Protection Proxy” design pattern. The documentation
for this pattern describes it as “A protection proxy controls access to the original

object. Protection proxies are useful when objects should have different access
rights”.
Page 208, Design Patterns book by Erich Gamma
See Figures 3 and 4 for a
graphical representation of the protection proxy controls.


Every request for data access fro
m the user would be routed through the
Protection Proxy subsystem. The Protection Proxy subsystem shall attempt to
authenticate the user request against the required access privileges for the
requested data and privileges that are granted to the requesting

user. If the
Protection proxy validates the user request, the request shall then be forwarded to
the data repository subsystem and user would be provided with the requested
data. In case where Protection proxy fails to authenticate the user request for th
e
requested data, (user has fewer access privileges than that are required for the
requested data) Protection Proxy shall not allow user to access the restricted data
and user shall be informed about the same with appropriate error message.


As an optimiza
tion feature, once user is authenticated for certain access
privileges, all the subsequent data requests may not be routed through the
Protection Proxy for performance improvement.

Note: This is a nice to have feature and not a must have requirement.

Des
ign Rationale

The design rationale of Hierarchical Authentication System is to provide
an extensible and flexible framework for the end users to access to the data only
upon authentication. The framework should be flexible enough so that it would
be useful

for most of the application domains if not all. The framework should be
extensible enough to define various types of access privilege hierarchies as
required for the application domain.


Diagram of Interconnection of Principal Objects

-subject
aClient
-protectedSubject
aProxy
aProtectedSubject

Figure 3: Protection Proxy: Conceptual protection offering


+Request()
Subject
+Request()
SubjectProxy
+Request()
ProtectedSubject
protected subject
SubjectProxy::Request()
{
pProtectedSubject->Request()
}
*
*
SubjectProxy has access to
Hierarchical Authentication levels
and user access privileges
*
*

Figure 4: Protection Proxy: More insight into implementation details


Functional Capabilities

Normal Pathways

All application users shall be directed to the

home page of the
Hierarchical Authentication System and enter their logon
-
id and password.
Depending upon their access privileges and their level in hierarchy, the system is
going to display a list of screens that they can work with.

Error Detection and R
ecovery

Hierarchical Authentication System shall implement error detection and
recovery mechanism and would notify users with appropriate error messages in
all non
-
fatal error cases.

Peak Load Handling

Peak load handling is the maximum load the system can
handle meeting
all the criteria set in Performance section. In this phase, the Hierarchical
Authentication System would not support High Availability and High Reliability.


Performance, Capacity and Control Considerations

In the future phase the Hierarchic
al Authentication System shall as a
minimum support 40 user on
-
line accesses simultaneously. The logon response
time shall not exceed 5 seconds. The system shall maintain separate levels of
security for application users and the system administrator. All
logons shall have
audit trails. The system must automatically logout a user if he is idle for more
than 30 minutes.


Interfaces

Supporting Subsystems

Figure 5 is a high
-
level system interface diagram of Hierarchical Authentication
System including the adm
in tool.



Figure 5. Hierarchical Authentication System Interface Diagram.

External Interfaces

Java enables Web
-
Server software

Firewall software, for protecting the unauthorized access to the Web
-
Server


SRVR

Engine

XML Parser


XML/HTTP

Admin

Tool


Authentication

Logon


Custom DB

Business
App

Screens


Release Support


Upgra
de and Rollback

'Dry
-
runs' of the upgrade and rollback processes shall be done to provide
reassurances and timings as necessary. For any future upgrade we plan to provide
a complete upgrade and engagement completion report detailing any revised
architectur
e and newer features used.

Installation

The Hierarchical Authentication System is intended for use on Windows
NT Server 4.0 or later with Java enabled Web Server and Internet connectivity.
A Uni
-
processor Intel Pentium Processor 500 MHz or better with at
least 64
Mega Bytes is required to run graphically based applications. A Hard Drive with
8 Giga Bytes is recommended.

In future releases, the Hierarchical Authentication System shall prompt users to
provide a username and password, which becomes the initia
l administrative
username / password.


Startup

A Hierarchical Authentication Server runs as a process within a Java
Virtual Machine (JVM). Each JVM can host only one server process. To start a
server, the user shall initiate a JVM with a set of arguments.


Shutdown

All application users shall logout by closing the screen in which they are.
In future release, there shall be a configuration utility through which
administrator shall have the ability to provide timeout periods for lifecycle
operations.