[MB4] Authentication Support

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[MB4] Authentication Support

Waruna Jayaweera
Hi,
AMQP specification defined the authentication mechanism and security content data is based on Simple Authentication and Security Layer(SASL) framework. Following figure shows the proposed implementation for $subject.

Inline image 1

Once client request  a connection, server will send the supported SASL mechanisms ( ex. Plain Text) to client. After that client will send the selected mechanism + auth response data. Server will create SASL server based on the client mechanism and then server will evaluate the client authentication data and callback handler will be executed for authentication.  It will be done using following two extension points.
  1. Authenticator  - Interface to authenticate mechanism based on security framework .We will use Java Authentication and Authorization Service (JAAS)  as default authentication implementation.
  2. JAAS  Modules - Uses can defined own JAAS Login module as well.
If authentication is success, connection will be established or else will send authentication error.

Thanks,
Waruna

--
Regards,

Waruna Lakshitha Jayaweera
Senior Software Engineer
WSO2 Inc; http://wso2.com
phone: +94713255198


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [MB4] Authentication Support

Hasitha Hiranya
Hi Waruna,

According to the diagram, authentication happens on a new "connection". Is my observation correct? 
There will be no need to do that for sessions created by that connection as same user will be creating them.

Thanks

On Wed, Dec 13, 2017 at 11:03 PM, Waruna Jayaweera <[hidden email]> wrote:
Hi,
AMQP specification defined the authentication mechanism and security content data is based on Simple Authentication and Security Layer(SASL) framework. Following figure shows the proposed implementation for $subject.

Inline image 1

Once client request  a connection, server will send the supported SASL mechanisms ( ex. Plain Text) to client. After that client will send the selected mechanism + auth response data. Server will create SASL server based on the client mechanism and then server will evaluate the client authentication data and callback handler will be executed for authentication.  It will be done using following two extension points.
  1. Authenticator  - Interface to authenticate mechanism based on security framework .We will use Java Authentication and Authorization Service (JAAS)  as default authentication implementation.
  2. JAAS  Modules - Uses can defined own JAAS Login module as well.
If authentication is success, connection will be established or else will send authentication error.

Thanks,
Waruna

--
Regards,

Waruna Lakshitha Jayaweera
Senior Software Engineer
WSO2 Inc; http://wso2.com
phone: +94713255198


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Hasitha Abeykoon
Associate Technical LeadWSO2, Inc.; http://wso2.com


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [MB4] Authentication Support

Asanka Abeyweera
Hi Hasitha,

Here connection corresponds to the "AMQP connection". That is we do the authentication when we receive the connection.start-ok frame and use the authenticated connection in sessions created using the connection. We are not planning to authenticate each session creation.

On Mon, Dec 25, 2017 at 4:14 PM, Hasitha Hiranya <[hidden email]> wrote:
Hi Waruna,

According to the diagram, authentication happens on a new "connection". Is my observation correct? 
There will be no need to do that for sessions created by that connection as same user will be creating them.

Thanks

On Wed, Dec 13, 2017 at 11:03 PM, Waruna Jayaweera <[hidden email]> wrote:
Hi,
AMQP specification defined the authentication mechanism and security content data is based on Simple Authentication and Security Layer(SASL) framework. Following figure shows the proposed implementation for $subject.

Inline image 1

Once client request  a connection, server will send the supported SASL mechanisms ( ex. Plain Text) to client. After that client will send the selected mechanism + auth response data. Server will create SASL server based on the client mechanism and then server will evaluate the client authentication data and callback handler will be executed for authentication.  It will be done using following two extension points.
  1. Authenticator  - Interface to authenticate mechanism based on security framework .We will use Java Authentication and Authorization Service (JAAS)  as default authentication implementation.
  2. JAAS  Modules - Uses can defined own JAAS Login module as well.
If authentication is success, connection will be established or else will send authentication error.

Thanks,
Waruna

--
Regards,

Waruna Lakshitha Jayaweera
Senior Software Engineer
WSO2 Inc; http://wso2.com
phone: <a href="tel:+94%2071%20325%205198" value="+94713255198" target="_blank">+94713255198


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Hasitha Abeykoon
Associate Technical LeadWSO2, Inc.; http://wso2.com




--
Asanka Abeyweera
Associate Technical Lead
WSO2 Inc.

Phone: +94 712228648



_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [MB4] Authentication Support

Hasitha Hiranya
Hi Asanka,

Perfect. That is what I wanted to clarify. 

Thanks

On Mon, Dec 25, 2017 at 5:31 PM, Asanka Abeyweera <[hidden email]> wrote:
Hi Hasitha,

Here connection corresponds to the "AMQP connection". That is we do the authentication when we receive the connection.start-ok frame and use the authenticated connection in sessions created using the connection. We are not planning to authenticate each session creation.

On Mon, Dec 25, 2017 at 4:14 PM, Hasitha Hiranya <[hidden email]> wrote:
Hi Waruna,

According to the diagram, authentication happens on a new "connection". Is my observation correct? 
There will be no need to do that for sessions created by that connection as same user will be creating them.

Thanks

On Wed, Dec 13, 2017 at 11:03 PM, Waruna Jayaweera <[hidden email]> wrote:
Hi,
AMQP specification defined the authentication mechanism and security content data is based on Simple Authentication and Security Layer(SASL) framework. Following figure shows the proposed implementation for $subject.

Inline image 1

Once client request  a connection, server will send the supported SASL mechanisms ( ex. Plain Text) to client. After that client will send the selected mechanism + auth response data. Server will create SASL server based on the client mechanism and then server will evaluate the client authentication data and callback handler will be executed for authentication.  It will be done using following two extension points.
  1. Authenticator  - Interface to authenticate mechanism based on security framework .We will use Java Authentication and Authorization Service (JAAS)  as default authentication implementation.
  2. JAAS  Modules - Uses can defined own JAAS Login module as well.
If authentication is success, connection will be established or else will send authentication error.

Thanks,
Waruna

--
Regards,

Waruna Lakshitha Jayaweera
Senior Software Engineer
WSO2 Inc; http://wso2.com
phone: <a href="tel:+94%2071%20325%205198" value="+94713255198" target="_blank">+94713255198


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Hasitha Abeykoon
Associate Technical LeadWSO2, Inc.; http://wso2.com




--
Asanka Abeyweera
Associate Technical Lead
WSO2 Inc.

Phone: +94 712228648





--
Hasitha Abeykoon
Associate Technical LeadWSO2, Inc.; http://wso2.com


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [MB4] Authentication Support

Shazni Nazeer
I have a few questions.

Will the user be infinitely authenticated once the initial authentication is successful as far as the connection is intact? Or is there a timeout for authenticated session even within a connection? And what are the implications of reestablishing a connection?

On Mon, Dec 25, 2017 at 8:52 AM, Hasitha Hiranya <[hidden email]> wrote:
Hi Asanka,

Perfect. That is what I wanted to clarify. 

Thanks

On Mon, Dec 25, 2017 at 5:31 PM, Asanka Abeyweera <[hidden email]> wrote:
Hi Hasitha,

Here connection corresponds to the "AMQP connection". That is we do the authentication when we receive the connection.start-ok frame and use the authenticated connection in sessions created using the connection. We are not planning to authenticate each session creation.

On Mon, Dec 25, 2017 at 4:14 PM, Hasitha Hiranya <[hidden email]> wrote:
Hi Waruna,

According to the diagram, authentication happens on a new "connection". Is my observation correct? 
There will be no need to do that for sessions created by that connection as same user will be creating them.

Thanks

On Wed, Dec 13, 2017 at 11:03 PM, Waruna Jayaweera <[hidden email]> wrote:
Hi,
AMQP specification defined the authentication mechanism and security content data is based on Simple Authentication and Security Layer(SASL) framework. Following figure shows the proposed implementation for $subject.

Inline image 1

Once client request  a connection, server will send the supported SASL mechanisms ( ex. Plain Text) to client. After that client will send the selected mechanism + auth response data. Server will create SASL server based on the client mechanism and then server will evaluate the client authentication data and callback handler will be executed for authentication.  It will be done using following two extension points.
  1. Authenticator  - Interface to authenticate mechanism based on security framework .We will use Java Authentication and Authorization Service (JAAS)  as default authentication implementation.
  2. JAAS  Modules - Uses can defined own JAAS Login module as well.
If authentication is success, connection will be established or else will send authentication error.

Thanks,
Waruna

--
Regards,

Waruna Lakshitha Jayaweera
Senior Software Engineer
WSO2 Inc; http://wso2.com
phone: <a href="tel:+94%2071%20325%205198" value="+94713255198" target="_blank">+94713255198


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Hasitha Abeykoon
Associate Technical LeadWSO2, Inc.; http://wso2.com




--
Asanka Abeyweera
Associate Technical Lead
WSO2 Inc.

Phone: <a href="tel:+94%2071%20222%208648" value="+94712228648" target="_blank">+94 712228648





--
Hasitha Abeykoon
Associate Technical LeadWSO2, Inc.; http://wso2.com


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [MB4] Authentication Support

Waruna Jayaweera
Hi Shazni,

Please find my responses inline.

On Thu, Dec 28, 2017 at 5:20 AM, Shazni Nazeer <[hidden email]> wrote:
I have a few questions.

Will the user be infinitely authenticated once the initial authentication is successful as far as the connection is intact?

Authentication will be only happen during starting a connection ( connection.start-ok frame) .Sessions will be created using authenticated connection.
 
Or is there a timeout for authenticated session even within a connection? And what are the implications of reestablishing a connection?

 There is no timeout for session within a connection and they will be keep until client close them .  When reestablishing a connection, authentication will be happen like earlier. 

On Mon, Dec 25, 2017 at 8:52 AM, Hasitha Hiranya <[hidden email]> wrote:
Hi Asanka,

Perfect. That is what I wanted to clarify. 

Thanks

On Mon, Dec 25, 2017 at 5:31 PM, Asanka Abeyweera <[hidden email]> wrote:
Hi Hasitha,

Here connection corresponds to the "AMQP connection". That is we do the authentication when we receive the connection.start-ok frame and use the authenticated connection in sessions created using the connection. We are not planning to authenticate each session creation.

On Mon, Dec 25, 2017 at 4:14 PM, Hasitha Hiranya <[hidden email]> wrote:
Hi Waruna,

According to the diagram, authentication happens on a new "connection". Is my observation correct? 
There will be no need to do that for sessions created by that connection as same user will be creating them.

Thanks

On Wed, Dec 13, 2017 at 11:03 PM, Waruna Jayaweera <[hidden email]> wrote:
Hi,
AMQP specification defined the authentication mechanism and security content data is based on Simple Authentication and Security Layer(SASL) framework. Following figure shows the proposed implementation for $subject.

Inline image 1

Once client request  a connection, server will send the supported SASL mechanisms ( ex. Plain Text) to client. After that client will send the selected mechanism + auth response data. Server will create SASL server based on the client mechanism and then server will evaluate the client authentication data and callback handler will be executed for authentication.  It will be done using following two extension points.
  1. Authenticator  - Interface to authenticate mechanism based on security framework .We will use Java Authentication and Authorization Service (JAAS)  as default authentication implementation.
  2. JAAS  Modules - Uses can defined own JAAS Login module as well.
If authentication is success, connection will be established or else will send authentication error.

Thanks,
Waruna

--
Regards,

Waruna Lakshitha Jayaweera
Senior Software Engineer
WSO2 Inc; http://wso2.com
phone: <a href="tel:+94%2071%20325%205198" value="+94713255198" target="_blank">+94713255198


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Hasitha Abeykoon
Associate Technical LeadWSO2, Inc.; http://wso2.com




--
Asanka Abeyweera
Associate Technical Lead
WSO2 Inc.

Phone: <a href="tel:+94%2071%20222%208648" value="+94712228648" target="_blank">+94 712228648





--
Hasitha Abeykoon
Associate Technical LeadWSO2, Inc.; http://wso2.com


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Regards,

Waruna Lakshitha Jayaweera
Senior Software Engineer
WSO2 Inc; http://wso2.com
phone: <a href="tel:+94%2071%20325%205198" value="+94713255198" target="_blank">+94713255198


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: [MB4] Authentication Support

Shazni Nazeer
Thanks Waruna. This is good.

On Fri, Dec 29, 2017 at 7:39 AM, Waruna Jayaweera <[hidden email]> wrote:
Hi Shazni,

Please find my responses inline.

On Thu, Dec 28, 2017 at 5:20 AM, Shazni Nazeer <[hidden email]> wrote:
I have a few questions.

Will the user be infinitely authenticated once the initial authentication is successful as far as the connection is intact?

Authentication will be only happen during starting a connection ( connection.start-ok frame) .Sessions will be created using authenticated connection.
 
Or is there a timeout for authenticated session even within a connection? And what are the implications of reestablishing a connection?

 There is no timeout for session within a connection and they will be keep until client close them .  When reestablishing a connection, authentication will be happen like earlier. 

On Mon, Dec 25, 2017 at 8:52 AM, Hasitha Hiranya <[hidden email]> wrote:
Hi Asanka,

Perfect. That is what I wanted to clarify. 

Thanks

On Mon, Dec 25, 2017 at 5:31 PM, Asanka Abeyweera <[hidden email]> wrote:
Hi Hasitha,

Here connection corresponds to the "AMQP connection". That is we do the authentication when we receive the connection.start-ok frame and use the authenticated connection in sessions created using the connection. We are not planning to authenticate each session creation.

On Mon, Dec 25, 2017 at 4:14 PM, Hasitha Hiranya <[hidden email]> wrote:
Hi Waruna,

According to the diagram, authentication happens on a new "connection". Is my observation correct? 
There will be no need to do that for sessions created by that connection as same user will be creating them.

Thanks

On Wed, Dec 13, 2017 at 11:03 PM, Waruna Jayaweera <[hidden email]> wrote:
Hi,
AMQP specification defined the authentication mechanism and security content data is based on Simple Authentication and Security Layer(SASL) framework. Following figure shows the proposed implementation for $subject.

Inline image 1

Once client request  a connection, server will send the supported SASL mechanisms ( ex. Plain Text) to client. After that client will send the selected mechanism + auth response data. Server will create SASL server based on the client mechanism and then server will evaluate the client authentication data and callback handler will be executed for authentication.  It will be done using following two extension points.
  1. Authenticator  - Interface to authenticate mechanism based on security framework .We will use Java Authentication and Authorization Service (JAAS)  as default authentication implementation.
  2. JAAS  Modules - Uses can defined own JAAS Login module as well.
If authentication is success, connection will be established or else will send authentication error.

Thanks,
Waruna

--
Regards,

Waruna Lakshitha Jayaweera
Senior Software Engineer
WSO2 Inc; http://wso2.com
phone: <a href="tel:+94%2071%20325%205198" value="+94713255198" target="_blank">+94713255198


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Hasitha Abeykoon
Associate Technical LeadWSO2, Inc.; http://wso2.com




--
Asanka Abeyweera
Associate Technical Lead
WSO2 Inc.

Phone: <a href="tel:+94%2071%20222%208648" value="+94712228648" target="_blank">+94 712228648





--
Hasitha Abeykoon
Associate Technical LeadWSO2, Inc.; http://wso2.com


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Regards,

Waruna Lakshitha Jayaweera
Senior Software Engineer
WSO2 Inc; http://wso2.com
phone: <a href="tel:+94%2071%20325%205198" value="+94713255198" target="_blank">+94713255198




--

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture