Authentication is the process of verifying the true identity of an individual who is the user of some application or program and it is used to discover whether the user is a fake or a phony. Authentication requires a cross-matching of the credentials and information provided by the user to the files present in a database or an operating system, which requires users to provide their personal information. Authentication is only approved when the credentials match with the stored information and the process of verification is rendered complete. Web applications have a two-part authentication mechanism: asking for the credentials which include a login and password, and secondly asking for credentials against a source. Web-based applications include Java servers or servlets (Microsoft, 2017). Authentication is not equivalent to authorization because authentication only allows the user access to the website, but it cannot certify which parts of the website will be accessible by the user after they have accessed the website. The various other parts of the website can be accessed by a user after their identity has been confirmed.
There are several forms of authentication that can be applied for such as HTTP Basic, HTTP Digest, Digital Certificates, Form Based Authentication, Entity Authentication and Password-Based Authentication systems which have several subtypes as well. One type of authentication includes Basic authentication (Microsoft, 2017). Basic Authentication requires the user to insert a username accompanied by a certain password, once they have gained access to a JSP page. The system by which the Basic authentication works depends on the web browser, and it is a built in system of authorization. After a previous entry has been stored, the user gaining access to the system will be provided three tries to insert the correct username and password. If the user is successful in gaining access within three attempts, they can use the web application, but if they cannot, then the error page will show up which is usually shown as HTTP 401 Unauthorized error. The level of security is relatively high in this kind of authentication because it prevents an unauthorized individual from gaining access to the system and the person’s personal information is safe within the system. Also, the system of preserving the username and password in the script is different, which further enhances the security of the system.
A second technique is by using the Digest authentication. There is a similarity between basic and digest, however in Digest, the user has their password encrypted with the use of a hash formula. Hence the username, password, the HTTP method, and URL will all be encrypted. It is then up to the server to figure out the password and username inserted, and access is only granted if the credentials match. There is a higher level of security in the use of Digest authentication because it makes it impossible to calculate the password by coming across any requests and having them inserted over and over again. Moreover, as compared to Basic, it is not possible to have multiple attempts at trying to figure out the password as it does not provide a second attempt. If this has to be done, the server nonce needs to be changed repeatedly. If this has not been done, it will make the server nonce show an expiration and the inability to send a request again (TheServerSide, 2016).
The third is Client certificate authentication. This requires the every client who needs to gain access to the system has a certain certification which will prove their identity. The protocol mostly used for this authentication is known as Secure Sockets Layer protocol or SSL. It contains information such as the digital signature, expiration date, the name of the client, the Certificate Authority, SSL or TLS version and other such validation. Access will only be given to the user who has their server enabled with the client certificate authentication (Villanueva, 2017). If this is not done, then access is denied. It also provides a high level of security.
References
Microsoft (2017). Authentication. Retrieved from https://msdn.microsoft.com/en-
us/library/aa478979.aspx
TheServerSide. (2016). Authentication mechanisms for web applications. Retrieved January 28,
2017, from http://www.theserverside.com/news/thread.tss?thread_id=80541
Villanueva, J. C. (2017, January 21). What is client certificate authentication? Retrieved January
28, 2017, from http://www.jscape.com/blog/client-certificate-authentication
