The non-java project is being replaced by a client and a server project
in order to allow for the client component to be consumed by distributions targeting the desktop. This check-in is for the server project.
This commit is contained in:
Juan Carlos Luciani
99
CASA-auth-token/server/AuthTokenValidate/README
Normal file
99
CASA-auth-token/server/AuthTokenValidate/README
Normal file
@@ -0,0 +1,99 @@
|
||||
/***********************************************************************
|
||||
*
|
||||
* Copyright (C) 2006 Novell, Inc. All Rights Reserved.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; version 2.1
|
||||
* of the License.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Library Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, Novell, Inc.
|
||||
*
|
||||
* To contact Novell about this file by physical or electronic mail,
|
||||
* you may find current contact information at www.novell.com.
|
||||
*
|
||||
* Author: Juan Carlos Luciani <jluciani@novell.com>
|
||||
*
|
||||
***********************************************************************/
|
||||
/***********************************************************************
|
||||
*
|
||||
* README for libcasa_s_authtoken
|
||||
*
|
||||
***********************************************************************/
|
||||
|
||||
INTRODUCTION
|
||||
|
||||
libcasa_s_authtoken provides an API for the validation of CASA Authentication Tokens.
|
||||
The API provides a means for obtaining identity information about authenticated
|
||||
entities.
|
||||
|
||||
Applications should avoid calling directly into this library's APIs. Instead, applications
|
||||
should code to the PAM API to validate authentication credentials or allow an external
|
||||
module to perform the credential validation. To facilitate this, CASA Authentication
|
||||
provides PAM, Apache, and JAAS modules that can be used to validate credentials containing
|
||||
CASA Authentication tokens,
|
||||
|
||||
libcasa_s_authtoken relies on the CasaAuthtokenValidateD service in order to perform its
|
||||
functions. To learn more about CasaAuthtokenValidateD see the Svc folder.
|
||||
|
||||
CONFIGURING ADDITIONAL IDENTITY TOKEN PROVIDER MODULES
|
||||
|
||||
CASA Authentication Tokens contain Identity Tokens. The Identity Tokens contain the identity
|
||||
information about the entity being authenticated. Identity Tokens can be of different types,
|
||||
the type utilized for use with a particular service is configured at the time that the service
|
||||
is configured for CASA Authentication. The default identity token type is CasaIdentityToken.
|
||||
|
||||
libcasa_s_authtoken supports different identity token types through an API that allows for the
|
||||
configuration of different Identity Token Provider plug-ins. An Identity Token Provider plug-in
|
||||
is configured by placing a configuration file for the plug-ins in the
|
||||
/etc/CASA/authtoken/modules folder. The name of the plug-in configuration file is related
|
||||
to the identity token type in the following manner: IdentityTokenTypeName.conf.
|
||||
|
||||
Identity Token Provider plug-in configuration files must must contain a directive indicating the
|
||||
path to the library implementing the Identity Token Provider plug-in (See the configuration file
|
||||
for the CasaIdentityToken plug-in for an example).
|
||||
|
||||
SERVER APPLICATION PROGRAMMING NOTES
|
||||
|
||||
The Validate CASA Authentication Token API is defined in casa_s_authtoken.h.
|
||||
|
||||
The API consists of a call to validate authentication tokens. The caller must supply a service
|
||||
name which must match the service name provided by the client when requesting the authentication
|
||||
token. Successful calls to the validate authentication token API will return a handle to a principal
|
||||
interface object. The principal interface object handle can be used to obtain identity information
|
||||
about the authenticated entity as well as information about the authentication realm. The principal
|
||||
interface object must be released after it is no longer needed. The amount and type of identity
|
||||
information associated with the principal interface is dependent on what is configured at the
|
||||
time that the service is enabled for CASA Authentication.
|
||||
|
||||
For examples of code which uses the Validate CASA Authentication Token API look at the implementations
|
||||
of the CASA Authentication PAM module and the CASA Authentication Provider Apache module.
|
||||
|
||||
IDENTITY TOKEN PROVIDER PROGRAMMING NOTES
|
||||
|
||||
The Identity Token Provider API is defined in iden_token_provider.h.
|
||||
|
||||
For an example see the implementation of the CASA Identity Token Provider.
|
||||
|
||||
SECURITY CONSIDERATIONS
|
||||
|
||||
CASA Authentication Tokens when compromised can be used to either impersonate
|
||||
a user or to obtain identity information about the user. Because of this it is
|
||||
important that the tokens be secured by applications making use of them. It is
|
||||
recommended that the tokens be transmitted using SSL.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user