wiki:T12_Security/ESG/TDSBrowserBasedAccess

Version 7 (modified by pjkersha, 9 years ago) (diff)

--

Browser Based Access to TDS Using ESG Filter Based Security Architecture

Secured TDS using ESG Security Filters

Arranged using  http://websequencediagrams.com:

participant "User via browser"
participant "TDS: Authentication Redirect Filter"
participant "TDS: Authorization Filter"
participant "TDS"
participant "Authentication Service: SSL Filter"
participant "Authentication Service: OpenID RP Filter"
participant "Gateway OpenID Provider"
participant "Gateway Authorization Service"

"User via browser" -> "TDS: Authentication Redirect Filter": TDS request intercepted by\nauthentication filter
"TDS: Authentication Redirect Filter" -> "TDS: Authentication Redirect Filter": is the request to a secured resource?
"TDS: Authentication Redirect Filter" -> "TDS: Authentication Redirect Filter": is the user authenticated?
"TDS: Authentication Redirect Filter" -> "User via browser": The resource is secured but user\nis not authenticated: \nrequest client redirect\nto Authentication Service
"User via browser" -> "Authentication Service: SSL Filter": Authentication request
"Authentication Service: SSL Filter" -> "Authentication Service: SSL Filter": Did the client provide a\ncertificate in the\nSSL handshake?  If so,\nuse it to authenticate them
"Authentication Service: SSL Filter" -> "Authentication Service: OpenID RP Filter": No certificate provided,\npass on to next middleware
"Authentication Service: OpenID RP Filter" -> "User via browser": Display OpenID Sign in page
"User via browser" -> "Authentication Service: OpenID RP Filter": Post OpenID URL
"Authentication Service: OpenID RP Filter" -> "User via browser": request redirect to OpenID Provider
"User via browser" -> "Gateway OpenID Provider": Get login page
"Gateway OpenID Provider" -> "User via browser": return login page
"User via browser" -> "Gateway OpenID Provider": Post username, password
"Gateway OpenID Provider" -> "User via browser": login succeeded: request redirect back to Authentication Service.
"Authentication Service: OpenID RP Filter" -> "Authentication Service: OpenID RP Filter": set session cookie
"Authentication Service: OpenID RP Filter" -> "User via browser": request redirect back to\noriginal TDS request URL.
"User via browser" -> "TDS: Authentication Redirect Filter": Request intercepted by Redirect\nFilter again
"TDS: Authentication Redirect Filter" -> "TDS: Authentication Redirect Filter": is the request to a secured resource?
"TDS: Authentication Redirect Filter" -> "TDS: Authentication Redirect Filter": is the user authenticated?
"TDS: Authentication Redirect Filter" -> "TDS: Authorization Filter": Pass to authorization filter because,\nyes the request is to a secured\nresource and the user is\nauthenticated.
"TDS: Authorization Filter" -> "Gateway Authorization Service": AuthzDecisionQuery(userId, resourceURI)
"Gateway Authorization Service" -> "TDS: Authorization Filter": AuthzDecisionStatement Grant/Deny
"TDS: Authorization Filter" -> "TDS": The decision was Grant:\npass on the request\nto the TDS.
"TDS" -> "User via browser": Serve data requested

Attachments