Re: Application to Application authentication models....

<snip>
>The web application generally doesn't need access to workflow states,
</snip>

I disagree in part. The very fact that the security credentials have to be stored on the filesystem to me, means that there are two possible issues - (a) a breakin at the web layer could lead to a comprimise of the data withint he database. (b) connections to the database could be made from inside the enterprise, pending firewalls etc.

>
>With that issue addressed, securing the application's credentials becomes

I accept that this may be the case for web applications per machines. What if I have two separate applictions running on the same physical box, one uses very highly sensitive database the other does not. How can I authenticate the two processes without resorting to basic user id's and passwords being stored on the filesystem?

>
>Though continuing on this trend, any sensitive traffic from your DMZ
servers
>to your back-end systems should be SSL encrypted anyway, where "sensitive"
(This
>includes access to databases, LDAP, etc.) And always keep in mind that

The use of SSL on database connections is considerably high. I am not so worried about passive attacks. I am wondering if there are any frameworks that exist such that when I take code and run this in production it can authenticate against a directory service, and obtain permission to access resources. I can take the same code run it on the DEV box and intrsically connect to the DEV database systems.

It's much like Kerberos for applications to authenticate against applications.

What my requirements would be is that the code itself could identify where it was being executed. This information is passed to the directory service and the directory service gives the necessary credentials to access resources in that environment.
The problem is, the application needs to authenticate to the directory service. Using certs just binds all applications, potentially, at teh physical machine layer, not at the application layer. And accordingly, we are left with storing passphrases on the file system.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Any other comments would be great?

Cheers
r1.
>
>My two cents, at least.
Received on Fri Jan 31 14:13:44 2003