DEVELOPMENT OF THE PERCOM PROJECT AUTHENTICATION METHOD
1. Functioning and purpose of the authentication method
Authentication for a computer system is a process allowing the system to ensure the legitimacy of the access request made by an entity (human being or another system ...) in order to authorize the access of this entity to system resources (systems, networks , applications, etc.) in accordance with the access control settings. Authentication therefore allows, for the system, to validate the legitimacy of the entity's access, then the system assigns to this entity the identity data for this session (these attributes are held by the system or can be provided by the entity during the authentication process). It is from elements from these two processes that access to system resources can be configured (access control).
Access to the resources of an information system by an entity, breaks down into three sub-processes, authentication,
identification (digital identity (Internet)) and access control (logical access control). Authentication is the process of confirming that a principal is legitimate to access the system. There are four standard authentication factors that can be used in the client authentication process:
- use information that only the principal knows (what we know)
- use unique information that only the principal has (what we have)
- use information that characterizes the principal in a given context (what we are)
- use information that only the principal can produce (what we know how to do)
Other authentication factors can sometimes be used such as time constraints or location capabilities.
b. Verification method
The verification phase involves an authentication protocol. There are three kinds of “families”:
- simple authentication: authentication is based on only one element or "factor" (example: the user indicates his password)
- strong authentication: authentication is based on two or more factors
- single authentication: (or unique identification; in English Single Sign-On or SSO) is a method allowing a user to carry out only one authentication to access several computer applications (or secure websites)
In addition, authentication with zero knowledge transfer only considers the information of the veracity of a proposition.
2. Authentication method in the project
a. Backend part
The Backend part of our project uses java in the J2EE category and uses multiple frameworks such as spring, Hibernate, etc.
For this part we will show you how we installed our authentication system this was done with spring security technology.
The main security mechanism used is the JWT (JSON Web Token).
JSON Web Token (JWT) authentication is a stateless security mechanism, so it's a good option if you want to scale your application on several different servers. Please note that this is the default option when using a Microservices architecture. This authentication mechanism does not exist by default with Spring Security, it is a specific integration in PERCOM of the Java JWT project. This solution uses a secure token that contains the login name and the authorities of the user. Since the token is signed, it cannot be changed by a user.
• Securing the JWT
PERCOM uses a secret key, which can be configured using two Spring Boot properties: percom.security.authentication.jwt.secret and percom.security.authentication.jwt.base64-secret. The second option uses a Base64 encoded string, so it is considered more secure and is therefore recommended. If both properties are configured, the secret (less secure) key will be used, for inherited reasons. A warning is displayed when starting the application if you are not using the Base64 property.
These keys must have a minimum length of 512 bits: if they are not long enough, you will not be able to use them to connect. If this happens, a clear warning is displayed on the console explaining this problem.
The secret keys are configured in the applications - *. Yml which are files. As these keys must be kept secret, you must store them securely for your production profile. It can be installed using the usual Spring Boot property configuration: using a serverr Spring Cloud Config, using an environment variable, or even an application-prod.yml file.
a. Frontend part
Since the biggest job has been done on the backend, the frontend part will take care of synchronizing with the authentication API created which is API / Authenticate which creates and returns the identification key that I retrieve to the using a JSON file
In this part the interface responsible for calling this API is this: