Encryption Mechanisms in Polaris API for Secure Access Control
Explore the robust authorization and authentication mechanisms in Polaris API, including user authentication, access control, and signature generation. Learn how Polaris ensures secure communication between clients and servers.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Enter slide title here Enter bullet text here Second level Third level Polaris API: Roundtable Disucssion Jeffrey Young Polaris Library Systems 1
Enter slide title here 1 Enter bullet text here Second level Third level Polaris API Authorization/Authentication 2
Polaris API Service: Authorization and Authentication Enter slide title here Authorization Enter bullet text here Second level Third level Are you allowed to use the service? Controls access rights to a resource Authentication Confirm identify of a person Are you who you say you are? 3
Polaris API Service: Authorization Mechanism Enter slide title here HTTP Request Header Authorization Field Enter bullet text here Second level Third level PWS [PAPIAccessKeyID]:[Signature] Format Signature is a custom hash Example Authorization: PWS polarisdev:j5h3Jee/23aUWT3OGRNEF06cOFc= Modeled after Amazon and Google s Authorization models PAPI Access Key ID and Key assigned by Polaris Support Engineer Symmetric-key Both sides know the secret key Stored in PAPIUsers table 4
Polaris API Service: Authorization Signature Enter slide title here Enter bullet text here Second level Third level Signature is custom hash built on a formula known to both the client and server [HTTP Method][URI][Date][Patron Password] SHA1 Encoded (Secure Hash Algorithm), Base 64 String PAPI Access Key is used to create HMAC (Hash-based Message Authentication Code) Password is not actually passed over the wire The PAPI Access Key is used by both the client and server but is never passed over the wire The PAPI Access Key is used internally to build the hash The PAPI Service uses the PAPIAccessKeyID to look up the Key in the database 5
Polaris API Service: Authorization Enter slide title here HTTP Request Header Date Field Enter bullet text here Second level Third level ddd, dd MMM yyyy HH:mm:ss GMT Date Format (RFC 1123) Example: Date: Wed, 09 Oct 2011 22:23:32 GMT May also use PolarisDate field name:value pair PolarisDate: ddd, dd MMM yyyy HH:mm:ss GMT Must match the date used to construct the custom hash signature Used to help prevent playback attacks Request must be within 30 minutes of the current time on the server 6
Polaris API Service: Authentication Enter slide title here Public Methods Enter bullet text here Second level Third level PAC related functionality tied to a patron API methods typically driven by the patron Holds creating Patron accessing their account information Protected Methods API methods traditionally driven by library staff Check-in/out Patron registration 7
Polaris API Service: Public Authentication Enter slide title here Public Methods Enter bullet text here Second level Third level URL contains the patron s barcode Built into the URL and based on the Authorization hash signature http://orion.polarislibrary.com/PAPIService/REST/public/v1/1033/100/1/patron/25678000000251 Signature is built using the patron s password Patron password is never passed over the wire 8
Using the PAPI Web Service: Authentication Enter slide title here Sample code Enter bullet text here Second level Third level PAPIHash.java PAPIHash.cs PatronValidate.php Patron Authentication Example 9
Polaris API Service: Protected Authentication Enter slide title here Protected Methods Enter bullet text here Second level Third level Authenticating the staff user based on domain account Requires a separate call to AuthenticateStaffUser Domain, user and password POSTed Must use HTTPS Future release will enforce requirement 10
Polaris API Service: Protected Authentication Enter slide title here Protected Methods (continued) Enter bullet text here Second level Third level Protected methods contain AccessToken in URI Returns AccessToken and AccessSecret https://[hostname]/PAPIService/REST/protected/v1/1033/100/1/[AccessToken]/organizatio... Authorization hash now built using AccessSecret AccessToken and AccessKey stored in database PAPIStaffAuthentication PAPIStaffAuthenticationFailures PAPI Processing job deletes expired tokens 3 failed login attempts locks account for 5 minutes 11
Polaris API Service: Authorization and Authentication Levels Enter slide title here Levels Enter bullet text here Second level Third level Authorization is not required (Debug use only) NONE PATRON Require authorization and authentication for patron related API calls ALL Require authorization and authentication (where applicable) for all API calls Defined in Web.config User.config <add key="AuthenticationLevel" value="ALL"/> 12
Polaris API Service: Documentation Enter slide title here Documentation on Polaris Developer Network Enter bullet text here Second level Third level http://developer.polarislibrary.com/media/867/polarisapi_protectedmethods.v4.draft.pdf http://developer.polarislibrary.com/media/517/papiservice4_0.pdf 13
Enter slide title here 2 Enter bullet text here Second level Third level Moving Forward 14
Moving Forward: Next Features? Enter slide title here Public PAC Related Enter bullet text here Second level Third level Return facets with search? Save title lists? Protected Staff Client Related Check-In Check-Out Patron Registration Patron Status Place Hold Request Item Record Retrieval Full Bib Retrieval 15
Questions? Enter slide title here Enter bullet text here Second level Third level 16
