SCAAS: A Secure Authentication and Access Control System for Web Application Development

By Hwang, Drew; Wang, Wendy et al. | Communications of the IIMA, January 2007 | Go to article overview

SCAAS: A Secure Authentication and Access Control System for Web Application Development


Hwang, Drew, Wang, Wendy, Politte, Blake, Communications of the IIMA


ABSTRACT

User authentication and data access are becoming two of the most common areas for web attacks. Most security vulnerabilities occur in areas of coding where Web security has lapsed. This paper describes the design and development of a Secure Authentication and Access Control System (SCAAS) implemented as a reusable library that provides data driven and encryption based authentication and access control for the use with ASP.NET applications.

INTRODUCTION

Web sites today face many threats to the confidentiality and integrity of the data used and the functionality provided by the application. This problem is compounded by the fact that Web developers are simply lack of either adequate knowledge and skills in writing secure Web application codes (Huang et al., 2005) or sufficient testing methodologies for the audit and control of Web development (Mansouir and Houri, 2006). Works in the design and implementation of security measures for Web applications are greatly in need.

User authentication and data access are becoming two of the most common areas for web attacks when procedures such as single sign-on and authentication delegation have become practically indispensable for e-business environment (Paulus, 2001). These two types of on-line vulnerability can be counterattacked by securing user account database that opens the gate of the application and by encrypting SQL connection that leads to the data store.

This paper describes the design and development of a Secure Authentication and Access Control System, herein referred to as SCAAS, implemented as a reusable library that provides data-driven and encryption-based authentication and access control for the use with ASP.NET applications. SCAAS employs Microsoft SQL Server to persist the security definitions that the SCAAS run-time system utilizes. The SCAAS database will be herein referred to as the SCAAS User Registry. The system also provides an ASP.NET based administration application that is used to maintain the data in the SCAAS User Registry.

SCAAS COMPONENTS

SCAAS consists of four major components. Their definition and functionalities are described as follows:

SCAAS Framework

This is the core of the SCAAS run-time application and a .NET library written in C#. Included in the namespace are four classes that make up the SCAAS Framework: SCAASManager, SCAASManagerHelper, SCAASDataProtector, and SCAASException. These classes will be further discussed in Section 3.

SCAAS User Registry

This is a Microsoft SQL database named UserAccounts that provides the basis for the SCAAS User Registry. The SCAAS Framework works closely with the UserAccounts database. Any connectivity between the SCAAS framework and the UserAccounts database is done securely with .NET enabled encryption and decryption procedures. The SCAAS User Registry can be updated through the SCAASAdmin ASP.net application included in the system.

SCAAS Admin ASP.NET Application

This is the ASP.NET application developed to update the SCAAS User Registry. This application utilizes the FormsAuthentication mode of the SCAAS Framework. Because of this, the application also serves as a good example of an implementation of the FormsAuthentication mode of the SCAAS framework.

DPAPIClientWeb ASP.NET Application

This is the utility application that is vital to get the SCAAS run-time to operate correctly. This ASP.NET application is used to generate encrypted connection strings used by both the SCAAS run-time as well as client applications that wish to use the SCAAS secure database connection management SCAAS API.

THE SCASS FRAMEWORK

The SCAAS framework is the core component of the SCAAS system and is based on Microsoft's Forms Authentication model for authentication and authorization of ASP.NET applications. Microsoft's Forms Authentication model is not a complete security solution but rather the bits and pieces required to be built upon. …

The rest of this article is only available to active members of Questia

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
One moment ...
Default project is now your active project.
Project items

Items saved from this article

This article has been saved
Highlights (0)
Some of your highlights are legacy items.

Highlights saved before July 30, 2012 will not be displayed on their respective source pages.

You can easily re-create the highlights by opening the book page or article, selecting the text, and clicking “Highlight.”

Citations (0)
Some of your citations are legacy items.

Any citation created before July 30, 2012 will labeled as a “Cited page.” New citations will be saved as cited passages, pages or articles.

We also added the ability to view new citations from your projects or the book or article where you created them.

Notes (0)
Bookmarks (0)

You have no saved items from this article

Project items include:
  • Saved book/article
  • Highlights
  • Quotes/citations
  • Notes
  • Bookmarks
Notes
Cite this article

Cited article

Style
Citations are available only to our active members.
Buy instant access to cite pages or passages in MLA, APA and Chicago citation styles.

(Einhorn, 1992, p. 25)

(Einhorn 25)

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Cited article

SCAAS: A Secure Authentication and Access Control System for Web Application Development
Settings

Settings

Typeface
Text size Smaller Larger Reset View mode
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

Help
Full screen

matching results for page

    Questia reader help

    How to highlight and cite specific passages

    1. Click or tap the first word you want to select.
    2. Click or tap the last word you want to select, and you’ll see everything in between get selected.
    3. You’ll then get a menu of options like creating a highlight or a citation from that passage of text.

    OK, got it!

    Cited passage

    Style
    Citations are available only to our active members.
    Buy instant access to cite pages or passages in MLA, APA and Chicago citation styles.

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn, 1992, p. 25).

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn 25)

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences."1

    1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

    Cited passage

    Thanks for trying Questia!

    Please continue trying out our research tools, but please note, full functionality is available only to our active members.

    Your work will be lost once you leave this Web page.

    Buy instant access to save your work.

    Already a member? Log in now.

    Author Advanced search

    Oops!

    An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.