Networked computer applications are often deployed using a “tiered” model. In this model, the originator of a request for a unit of work (also referred to as a “principal”) typically initiates that work via a client program (first tier), which then communicates to a web server, or similar second tier server (also referred to as a middle-tier server), which itself communicates, on behalf of the request originator, to other middle-tier servers and/or to third or fourth tier servers such as database servers or other resource managers. When the request is processed by the resource managers, they, typically, evaluate whether the request originator has been authenticated and whether the originator is authorized to perform the unit of work. The resource managers, typically, also record access by the originator of the request in appropriate audit logs.
Such a tiered approach to networked applications may create a need for the secure propagation of security credentials of the request originator through each of the tiers of the application. In such propagation of secure credentials, the request originator delegates to the middle-tier servers the authority to access other servers on their behalf. Thus, the secure propagation of the credentials of the request originator (the requesting “principal”) may be referred to as “delegation” or “impersonation.”
One security mechanism that provides for delegation is Kerberos. In Kerberos, the requesting principal sends the request accompanied by a delegatable service ticket obtained from a trusted third party, the Kerberos key distribution center. The middle-tier server then uses the delegatable service ticket to obtain service tickets from the key distribution center. The obtained service tickets are used to impersonate the requesting principal to other servers in the network as needed to satisfy the original request.
The Kerberos approach to delegation, however, is intended primarily to handle synchronous connection to other servers and may not extend well to cases when the request is passed as an asynchronously transmitted message. A conventional approach for asynchronous message based authentication is to create a digital signature for the message. The digital signature is based on a public/private key pair. An example of such a digital signature approach to authentication is Public Key Infrastructure (PKI) authentication. PKI authentication is also conventionally used for synchronous connections, as in for example, Secure Socket Layer (SSL) and Transport Layer Security (TLS).