Conventional User Authentication & Authorization in Web Application
In any web application, there is a common concern user authentication and authorization. So let’s understand what is user authentication and authorization and why it is required for a web application.
Authentication is a process to identify the user/entity who is going to use the application. In web application, it is required to know who is using the web application and what is rights/access one has in the web application. When a web application created, it definitely serves a business purpose even if application is social media application or any business application. The business logic needs to know who is performing the business activity and therefore it is required to know by application that who is using application.
Authorization is a associated process with authentication, once in ‘authentication process’ user identity has been discovered, it is required to check what access/permission user has. Based upon access and permission, user will be served web resources like menus, screens, buttons and activities. Additionally, whenever user does any action in web application, the application first checks whether whatever action user is doing, he/she permitted for that or not. This checking and verification process of user access is called authorization.
Based upon the Authentication and Authorization process definition, Authentication is ensuring user identity and Authorization is checking user access rights in application. Both are required in any web application so application can perform business correct in the order it has been decided.
How authentication is performed? There are some conventional ways and some modern ways. Conventionally, authentication aka user identification performed with user credential checking which contains mainly two portions: username — a unique user identification name, password- a secret string which proves that what user is claiming is correct as password is private/secret text.
If we add new identification mechanism along with user username & password based authentication, it is called Multi-Factor Authentication (MFA) like: One-Time-Password (OTP), Device Authentication, RSA Token etc.
How authorization is performed? To perform authorization, first application need to have access mechanism. There are various access mechanism but two are very popular: Role-Based Access Control (RBAC) where list of resource access are grouped into role and role is associated with user; Attribute-Based Access Control (ABAC) where resource has attributes like read, write, execute and these are associated with users. When user tries to access the web resource, the access rights mapped with user is loaded and checked if user has access of requested resource or not. If not then response is provided as unauthorized.
How authentication and authorization performed conventionally in web application will be discussed in subsequent section.
Authentication and Authorization is very common need of any web application so that the valid user can perform required business operations with their correct scope of work.
Apart from business needs, there is Non-Functional Requirement (NFR) as security of web application. Security is a not a functional requirement of business but it is most essential requirement to run the business. Hence, web application must be secure from unauthorized users.
To implement functional and security requirement related to user and their access, web application need to have Authentication and Authorization.
This article discuss about the Authentication and Authorization for web application with conventional implementation.
This helps in understanding need of Authentication and Authorization in web application and how to implement it in conventional manner. It will be beneficial for Web Developers, Architects and Product Owners.
As discussed about need of Authentication and Authorization in web application under ‘Business Needs’ section. Next question is, how to implement it.
There are various answers for it these days e.g.:
- Basic Auth
- JWT / Bearer token
- API Key
- OAuth 2.0
- Certificate based Authentication
- SAML based Authentication
- Kerberos based Authentication
- NTLM based Authentication
In this article, we will discuss about the conventional implementation which is Basic Auth.
In web applications, conventionally user authentication performed with username/userid & password.
In web application a page or endpoint developed where user pass the username and password as data, backend logic reads the passed data, discovers users from database where list of users stored and verifies the user password matching or not.
Now, there are some cases while doing authentication:
- Given username for authentication is not available — the backend logic gives a message user not available
- Given username available and password does not match — the backend logic gives a message for incorrect password
- Given username is available and password matched — user provided with requested access
How to authenticate in web application?
- create a page or web resource where username and password can be passed. It could be a web form or REST endpoint
- write logic to validate username and password
- if username and password validate create a access token or session in application
Once user identity validated with user credential (username and password), on next access or activity should be performed by users with same identity and therefore, a user session is created and access rights associated with user’s session. If session is not created, every time users request for web resource, he/she must be identified with username and password which will be very hectic for the user and business.
How to implement authorization in web application?
- create RBAC or ABAC based access list and map with user
- when user authenticates, link the user access list / role / access attributes with either access token / session created with authentication
- whenever user tries to do activity or access resource in web application validate the access token or session with requested resource whether user has access or not
- based upon access, provide resource else throw response with unauthorized response code
Consider the below diagram which depicts the conventional authentication and authorization mechanism:
Once authentication completed means user identified at backend, same identity need to be provided in subsequent backend requests. For this, a session is created for the user and loaded all user access rights for the user and mapped with session so that authorization can be perform. And to associate session with user, the session id created for session and sent back to user which further provided by user with all subsequent calls to backend.
There are few ways to sent session id with next call to backend:
- Header — HTTP request header can be utilized for providing session id/token to backend. Mostly, Authorization header is used.
- Hidden Form Field — If application is running on web forms, with each form/screen draw to user, a hidden form field is used to store session id / token. And this token is send back to backend with each form submit.
- Request Parameter — Request parameter can be utilized for subsequent call. In Java, you might have notices JSESSION_ID in browsers URL input box, this is for same purpose.
- Cookies — Cookies can be utilized for sharing session id / token as cookies are stored on browser and automatically sent to server with each request to backend server.
Although, it serves the business needs for user authentication and authorization but it has certain limitation:
- session are associated with server context so scaling application instance will create problem
- implementation of web Single-Sing-On (SSO) is quite though
- not suitable for modern application design patterns e.g. micro-service design pattern
Authentication and Authorization is one of main cross-cutting concern for any web application. There are various ways to implement Authentication and Authorization in web application and ‘Basic Auth’ is one the approach which can be implemented with conventional applications.
- Authentication & Authorization — https://blog.jscrambler.com/authentication-authorization-in-web-apps
- Different ways to Authentication — https://medium.com/@vivekmadurai/different-ways-to-authenticate-a-web-application-e8f3875c254a
- Understanding Authentication and Authorization — https://www.bu.edu/tech/about/security-resources/bestpractice/auth/
- JSON Web Token (JWT) based Authentication & Authorization in Web Application — https://siddhivinayak-sk.medium.com/json-web-token-jwt-based-authentication-authorization-in-web-application-d4d76853a009
About the Author
Sandeep Kumar holds Master of Computer Application degree working as Java developer having 10+ years of working experience. He has experience design and development of enterprises applications in domains like education, content, laboratory, and banking; got various appreciation for his solutions including spot appreciation for Glassfish to JBoss migration project. He secured Google Cloud Developer certificate and participated into OCI trainings. He is a part of HCL-ERS platform as Sr. Lead developer.