The Barracuda Application Server (BAS) offers a robust and flexible authentication framework. It seamlessly integrates with the Virtual File System (VFS) to provide secure access control across web applications. Understanding how authentication interfaces with the VFS is crucial for implementing effective security measures.
Authentication Overview:
Authentication verifies a user's identity by comparing provided credentials (username and password) against stored credentials on the device or via methods such as single sign-on.
Decoupled Authentication Logic:
BAS decouples authentication logic from web pages by associating authenticators with VFS directory nodes. This design allows an authenticator to act as a security umbrella, enforcing authentication for all resources within a specific directory and its subdirectories. By attaching an authenticator to a directory node, you ensure that any access to resources within that node requires proper authentication, streamlining security management and reducing the risk of unauthorized access.
When a user is authenticated using one of the built-in BAS authenticators, the system automatically creates a session object. This session keeps track of the authenticated user and is maintained either through a session HTTP cookie or a session ID embedded in the URL. To strengthen security, both methods lock the session to the client's IP address, which helps prevent session hijacking. However, if your use case does not require session tracking or if you need more flexibility, such as allowing roaming IP addresses, you can create your own authentication mechanism. By implementing a custom directory function, you can enforce your own access control while still providing the same security umbrella as the built-in system. Any files or APIs inside the protected directory, including its subdirectories, will then be secured by your custom logic.
BAS supports standard basic, digest, and form-based authentication but also custom authentication, such as bearer tokens. The server enables you to interact with these objects such as providing you with an easy integration to a user and password database.
The Barracuda Server supports the following authenticator types:
Both methods involve the server challenging the client with a 401 unauthorized response, prompting the client to provide valid credentials. However, these methods can present challenges, such as difficulty implementing custom login interfaces and managing user logout processes, especially with browser-controlled authentication dialogs.
To overcome the limitations of HTTP-based methods, BAS supports form-based authentication, which is particularly advantageous for browser clients:
In form-based authentication, user credentials are submitted through an HTML form. It's important to note that these credentials are transmitted in cleartext unless protected by SSL/TLS, posing potential security risks.
BAS supports modern password-less authentication methods, enhancing security and user experience:
In BAS, the VFS allows for the hierarchical organization of resources, with each directory node capable of having its own authenticator. This structure enables the implementation of distinct security realms within the application. For instance, a directory node handling sensitive data can be assigned a strict authenticator, while another node may permit public access.
By leveraging the VFS, you can define specific authentication and authorization policies for different sections of your application, ensuring that users have appropriate access based on their credentials and roles.
Beyond authentication, BAS provides mechanisms for user authorization, determining whether an authenticated user has permission to access or perform actions on specific resources. This is typically managed through the implementation of an authorizer, which evaluates user permissions based on factors such as URL paths and HTTP methods.
Implementing role-based access control (RBAC) allows for more granular authorization, where users are assigned roles that define their permissions within the application. This approach enhances security by ensuring users can only access resources and perform actions pertinent to their roles.
A login tracker can be associated with an authenticator as an optional security enhancement. A login tracker keeps track of failed and successful logins and their IP addresses.
A login tracker prevents dictionary and brute force attacks. A dictionary attack consists of trying "every word in the dictionary" as a possible username - password combination. A weak password may be easily cracked if the authenticator is not keeping track of the number of failed logins. This is where the login tracker comes to the rescue. The login tracker keeps a configurable size ram database of the users attempting to login. The user can be banned if too many login attempts are made.
A login tracker can be associated with an authenticator created by Lua code, but the actual login tracker code must be initialized by the C/C++ startup code. A C/C++ developer can either create a customized login tracker, by using the provided login tracker API's, or use the default login tracker. The default login tracker adds Lua bindings for fetching login tracker information.