Upload
raymond-summers
View
213
Download
0
Embed Size (px)
Citation preview
Browser Web Server
Users DB
2a. Redirect to login page plugin
1. access a protected page
Login
Web Server
(https)
aislogin.cern.ch
edh.cern.ch
3a. Set login cookie; redirect back to the protected page
2b. Redirect to login page
3b. Access the protected page again; send login cookie
Login Process
Users DBcopy
AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73
/*200 chars*/
typedef struct { UINT4 cksum; UINT4 dateOfIssue; UINT4 IP; UINT4 HRId; UINT4 CERNId; char username[27]; char language; unsigned char version; unsigned char flags[40];}; /* 89 bytes */
1. Verify username & password
• create MD5 hash and check against database
• get other user information (CERNID, PERSONID, IP, ….)
2. Encrypt user information
Private Key
3. Set AI_SESSION cookie
Set-Cookie: AI_SESSION=8E6EF5CA5F5602E2D13DA53349FAD84907B8F100A84DAA8A1B3F2DE40B01A21396554EF 439941F576D470827999A83E9CAB124F2FFBB1F96336D2B07C3B5F63E12E826A9055F4EBB652AAE4FF43AAB2CC842DCA076B5C7944D79CC410CBA4006154409B1; path=/; domain=.cern.ch
4. Verify that browser accepts cookies
800 bits
Login application
AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73
1. Verify and decrypt AI_SESSION cookietypedef struct { UINT4 cksum; UINT4 dateOfIssue; UINT4 IP; UINT4 HRId; UINT4 CERNId; char username[27]; char language; unsigned char version; unsigned char flags[40];}; /* 89 bytes */
2. If any errors, redirect to the login page
3. Create server-side cookies
AI_USER=50070;AI_USERNAME=AWIECEK;AI_HRID=493034;AI_LANG=EN;AI_XRESOLUTION=0;AI_YRESOLUTION=0
Public Key
Webserver Plugin Operation
GET http://aisws7.cern.ch/protected/showcookiesUser-Agent: lwp-request/1.37
302 AIS login requiredConnection: closeDate: Thu, 21 Sep 2000 04:28:43 GMTLocation: https://aislogin.cern.ch/login-servlet/Login?REFER=http://aisws7.cern.ch/protected/showcookiesServer: Netscape-Enterprise/3.6 SP3Client-Date: Thu, 21 Sep 2000 04:28:43 GMTClient-Peer: 137.138.180.19:80
<HTML><HEAD><TITLE>An Error Occurred</TITLE></HEAD><BODY><H1>An Error Occurred</h1>302 AIS login required</BODY></HTML>
BROWSER request
WEBSERVER response
Login step 1
GET https://aislogin.cern.ch/login-servlet/Login?REFER=http://aisws7.cern.ch/protected/showcookiesUser-Agent: lwp-request/1.37
200 OKCache-Control: no-cacheDate: 21 Sep 2000 04:26:12 GMTPragma: No-cacheServer: Netscape-Enterprise/3.6 SP2 ServletExecWAI/2.1Content-Type: text/html; charset=iso-8859-1Expires: Thu, 01 Jan 1970 00:00:00 GMTClient-Date: Thu, 21 Sep 2000 04:28:44 GMTClient-Peer: 137.138.25.20:443Client-SSL-Cert-Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification AuthorityClient-SSL-Cert-Subject: /C=CH/SP=Switzerland/L=Geneva/O=CERN/OU=AS-SAS/CN=aislogin.cern.chClient-SSL-Cipher: EXP-RC4-MD5Client-SSL-Warning: Peer certificate not verifiedMIME-Version: 1.0Title: Common Login
<html><head><title>Common Login</title></head>.<form name="form1" method="post" action="Login"> <div align="left">
BROWSER request
WEBSERVER response
Login step 2
POST https://aislogin.cern.ch/login-servlet/Login?REFER=http://aisws7.cern.ch/protected/showcookiesUser-Agent: lwp-request/1.37Content-Length: 47Content-Type: application/x-www-form-urlencoded
302 Moved temporarilyDate: 21 Sep 2000 04:26:13 GMTLocation: CheckLogin?REFER=http://aisws7.cern.ch/protected/showcookiesServer: Netscape-Enterprise/3.6 SP2 ServletExecWAI/2.1Content-Type: text/htmlClient-Date: Thu, 21 Sep 2000 04:28:45 GMTClient-Peer: 137.138.25.20:443Client-SSL-Cert-Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification AuthorityClient-SSL-Cert-Subject: /C=CH/SP=Switzerland/L=Geneva/O=CERN/OU=AS-SAS/CN=aislogin.cern.chClient-SSL-Cipher: EXP-RC4-MD5Client-SSL-Warning: Peer certificate not verifiedMIME-Version: 1.0Set-Cookie: AI_SESSION=8E6EF5CA5F5602E2D13DA53349FAD84907B8F100A84DAA8A1B3F2DE40B01A21396554EF439941F576D470827999A83E9CAB124F2FFBB1F96336D2B07C3B5F63E12E826A9055F4EBB652AAE4FF43AAB2CC842DCA076B5C7944D79CC410CBA4006154409B1; path=/; domain=.cern.ch
Set-Cookie: SECURE_LOGIN=1; expires=Sat, 22-Nov-2003 14:12:52 GMT; path=/; domain=.cern.ch
<HTML>
BROWSER request
WEBSERVER response
Login step 3
GET https://aislogin.cern.ch/login-servlet/CheckLogin?REFER=http://aisws7.cern.ch/protected/showcookies
User-Agent: lwp-request/1.37
Cookie: AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73
200 OK
Cache-Control: no-cache
Date: 21 Sep 2000 04:26:14 GMT
Pragma: No-cache
Server: Netscape-Enterprise/3.6 SP2 ServletExecWAI/2.1
Content-Type: text/html; charset=iso-8859-1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Client-Date: Thu, 21 Sep 2000 04:28:46 GMT
Client-Peer: 137.138.25.20:443
Client-SSL-Cert-Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
Client-SSL-Cert-Subject: /C=CH/SP=Switzerland/L=Geneva/O=CERN/OU=AS-SAS/CN=aislogin.cern.ch
Client-SSL-Cipher: EXP-RC4-MD5
Client-SSL-Warning: Peer certificate not verified
MIME-Version: 1.0
Title: Login Succeeded
<html><head><title>Login Succeeded</title></head>
<td><font face="Arial, Helvetica, sans-serif"><b>You may now proceed to <a href="http://aisws7.cern.ch/protected/showcookies">
http://aisws7.cern.ch/protected/showcookies</a>
BROWSER request
WEBSERVER response
Login step 4
GET http://aisws7.cern.ch/protected/showcookies
User-Agent: lwp-request/1.37
Cookie: AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73
200 OK
Connection: close
Date: Thu, 21 Sep 2000 04:28:47 GMT
Server: Netscape-Enterprise/3.6 SP3
Content-Type: text/html
Client-Date: Thu, 21 Sep 2000 04:28:47 GMT
Client-Peer: 137.138.180.19:80
<PRE>
Cookies:
AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73;
AI_USER=50070;
AI_USERNAME=AWIECEK;
AI_HRID=493034;
AI_LANG=EN;
AI_XRESOLUTION=0;
AI_YRESOLUTION=0
</PRE>
BROWSER request
WEBSERVER response
Login step 5
GET http://aisws7.cern.ch/not-protected/showcookies
User-Agent: lwp-request/1.37
Cookie: AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73
200 OK
Connection: close
Date: Thu, 21 Sep 2000 04:28:47 GMT
Server: Netscape-Enterprise/3.6 SP3
Content-Type: text/html
Client-Date: Thu, 21 Sep 2000 04:28:47 GMT
Client-Peer: 137.138.180.19:80
<PRE>
Cookies:
AI_SESSION=AA3A256BF06038A190D903B3A2ED8F5D79F428006D4ACAEF4AC25A97046DC4BA5C2AE67B8BBB6C6508C0406C64E3331E8C4DB0A86CE4B4CE1A1EC7B96F7EC640704A5A4BFE7D4FE7FB96E6D6C57F346D914BEA2D8BAFDD62D2CA811532572C7B952B1F73;
</PRE>
BROWSER request
WEBSERVER response
Login step 6
Features:
•Any cookie-enabled browser
•Password is requested only once and encrypted (SSL)
•Does not use standard HTTP authentication
•Supports HTTP & HTTPS
•Supports clients inside and outside of CERN
•Does authentication only, authorization is handled by applications
Requires a Web Server plugin
The AIS Common Login