Distributed Access Control System (DACS)
Encyclopedia
The Distributed Access Control System (DACS) is a light-weight single sign-on
and
role-based access control
system for
web server
s
and
server-based software
.
DACS is primarily used with
Apache web servers
to provide enhanced access control
for web pages,
CGI
programs
and servlets,
and other web-based assets,
and to federate
Apache servers.
Released under an open source license, DACS provides a modular authentication
framework
that supports an array of common authentication methods and a rule-based authorization
engine
that can grant or deny access to resources,
named by URLs
,
based on the identity of the requestor and other contextual information.
Administrators can configure DACS to identify users by employing authentication methods and user accounts
already available within their organization.
The resulting DACS identities are recognized at all DACS jurisdictions that have been federated.
In addition to simple web-based
APIs
,
command-line interfaces are also provided to much of the functionality.
Development of DACS began in 2001,
with the first open source release made available in 2005.
The extensible architecture allows new methods to be introduced.
DACS can also act as an Identity Provider for InfoCards and function as a Relying Party.
Expressed as a set of XML
documents, the rules are consulted at run-time to determine
whether access to a given resource should be granted or denied.
Single sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
and
role-based access control
Role-Based Access Control
In computer systems security, role-based access control is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can be implemented via mandatory access control or discretionary access control...
system for
web server
Web server
Web server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....
s
and
server-based software
Server (computing)
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
.
DACS is primarily used with
Apache web servers
Apache HTTP Server
The Apache HTTP Server, commonly referred to as Apache , is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone...
to provide enhanced access control
for web pages,
CGI
Common Gateway Interface
The Common Gateway Interface is a standard method for web servers software to delegate the generation of web pages to executable files...
programs
and servlets,
and other web-based assets,
and to federate
Federated identity
A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems....
Apache servers.
Released under an open source license, DACS provides a modular authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
framework
Software framework
In computer programming, a software framework is an abstraction in which software providing generic functionality can be selectively changed by user code, thus providing application specific software...
that supports an array of common authentication methods and a rule-based authorization
Authorization
Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...
engine
that can grant or deny access to resources,
named by URLs
Uniform Resource Locator
In computing, a uniform resource locator or universal resource locator is a specific character string that constitutes a reference to an Internet resource....
,
based on the identity of the requestor and other contextual information.
Administrators can configure DACS to identify users by employing authentication methods and user accounts
already available within their organization.
The resulting DACS identities are recognized at all DACS jurisdictions that have been federated.
In addition to simple web-based
APIs
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
,
command-line interfaces are also provided to much of the functionality.
Development of DACS began in 2001,
with the first open source release made available in 2005.
Authentication
DACS can use any of the following authentication methods and account types:- X.509X.509In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
client certificates via SSLTransport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet... - self-issued or managed Information Cards (InfoCards)Information CardInformation Cards are personal digital identities that people can use online, and the key component of Identity metasystems. Visually, each Information Card has a card-shaped picture and a card name associated with it that enable people to organize their digital identities and to easily select...
- two-factor authenticationTwo-factor authenticationTwo-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...
- Counter-basedHOTPHOTP is an HMAC-based One Time Password algorithm. It is a cornerstone of Initiative For Open Authentication .HOTP was published as an informational IETF RFC 4226 in December 2005, documenting the algorithm along with a Java implementation...
, time-basedTime-based One-time Password AlgorithmTOTP - Time-based One-time Password Algorithm is an extension of the HMAC-based One Time Password algorithm HOTP to support a time based moving factor. TOTP is an Internet Engineering Task Force standard and a cornerstone of Initiative For Open Authentication .-Applications:TOTP can be used to...
, or grid-based one-time passwordOne-time passwordA one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
s, including security tokenSecurity tokenA security token may be a physical device that an authorized user of computer services is given to ease authentication...
s - Unix-likeUnix-likeA Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
systems' passwordPasswd (database)passwd is a name service database used to store user account information on Unix-like operating systems.The sources for the passwd database are configured, like other name service databases, in nsswitch.conf.-Fetching a specific user entry:For a specific user called 'joe':getent passwd joeFor a...
-based accounts - Apache authentication modules and their password files
- Windows NT LAN Manager (NTLM)NTLMIn a Windows network, NTLM is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users....
accounts - LDAPLightweight Directory Access ProtocolThe Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network...
or Microsoft Active Directory (ADS)Active DirectoryActive Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
accounts - Central Authentication Service (CAS)Central Authentication ServiceThe Central Authentication Service is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials only once. It also allows web applications to authenticate users without gaining access to a user's security credentials,...
- HTTPHypertext Transfer ProtocolThe Hypertext Transfer Protocol is a networking protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web....
-requests (e.g., Google ClientLogin) - PAMPluggable Authentication ModulesPluggable authentication modules are a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface . It allows programs that rely on authentication to be written independent of the underlying authentication scheme...
-based accounts - private username/password databases
- imported identities
- computed identities
The extensible architecture allows new methods to be introduced.
DACS can also act as an Identity Provider for InfoCards and function as a Relying Party.
Authorization
DACS performs access control by evaluating access control rules that are specified by an administrator.Expressed as a set of XML
XML
Extensible Markup Language is a set of rules for encoding documents in machine-readable form. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications, all gratis open standards....
documents, the rules are consulted at run-time to determine
whether access to a given resource should be granted or denied.