Skip to content

Authentication

Jump to bottom Edit New page
Jan Wielemaker edited this page Jun 1, 2016 · 1 revision

Authentication for SWISH

SWISH can be used in many settings that require different levels of authentication.

  • Currently, the following options are provided:

    • Anonymous usage is what is used by http://swish.swi-prolog.org. Anyone can run safe queries and save programs and notebooks.
    • Authenticated usage can currently be used by loading lib/authenticate.pl. This uses (default) HTTP digest based login and allows the user to run any Prolog query.
    • Mixed usage is currently provided by the SWISH plugin for ClioPatria allows running safe queries for not-logged-on users and any Prolog query for logged on users.

  • Desirable options

    • Social login, providing the same rights as anonymous usage, but tracking edits to saved sources using the provided credentials.
    • EduGain login to facilitate
      • Student identification Students will typically be allowed to run safe queries. Saved files cannot be seen by other students and are associated with the student.
      • Researcher identification Researcher may have rights depending on their role.

Authentication options

  • Currently, the SWI-Prolog HTTP infrastructure allows for

    • Basic HTTP authentication. Not very useful in this context.
    • Digest HTTP authentication. Provides (fairly) safe login, protects against session stealing. Does not project the privacy of the communication itself. This is the default for lib/authenticate.pl. Digest authentication always protects the entire site. Login via a protected location and checking the authentication on other locations does not work as the digest sequence is in practice frequently re-established due to timeouts.
    • Form based login using session cookies. This is used by ClioPatria. Unsafe, unless used over HTTPS.
    • OpenID based login, using session cookies.
    • Google login (oauth). As OpenID. Used by the SWI-Prolog website.

    We can support HTTPS. This is fine for permanently hosted servers. Less ideal for temporary servers due to the complexity of generating acceptable certificates.

  • Desirable options

    • SAML, notably in the context of academic research usage.

Security levels

  • HTTP sessions and HTTP basic authentication is only useful for tracking authorship in a social environment.
  • HTTP digest login provides reasonable secure authentication, but poor privacy about executed queries and returned results.
  • HTTPS sessions provide safe authentication and private conversation.
Add a custom footer
Add a custom sidebar
Clone this wiki locally