Networked computer applications are often deployed using a “tiered” model. In this model, the originator of a request for a unit of work (also referred to as a “principal”) typically initiates that work via a client program (first tier), which then communicates to a web server, or similar second tier server (also referred to as a middle-tier server), which itself communicates, on behalf of the request originator, to other middle-tier servers and/or to third or fourth tier servers such as database servers or other resource managers. When the request is processed by the resource managers, they, typically, evaluate whether the request originator has been authenticated and whether they are authorized to perform the unit of work. The resource managers, typically, also record access by the originator of the request in appropriate audit logs.
Such a tiered approach to networked applications may create a need for the secure propagation of security credentials of the request originator through each of the tiers of the application. In such propagation of secure credentials, the request originator delegates to the middle-tier servers the authority to access other servers on their behalf. Thus, the secure propagation of the credentials of the request originator (the requesting “principal”) may be referred to as “delegation” or “impersonation.”
One conventional approach for asynchronous message based authentication is to create a digital signature for the message. The digital signature is based on a public/private key pair. An example of such a digital signature approach to authentication is Public Key Infrastructure (PKI) authentication. In PKI, typically, a nonce, which may, for example, be a 60 bit random number, is generated by a party, such as a server, and provided to the client. The client signs the nonce with its digital signature and returns the signed nonce to the server. Typically, the server evaluates the digital signature of the client by decrypting the signed nonce with the public key of the client, which may be obtained from a certificate associated with the client, and comparing the decrypted nonce to the nonce originally sent. If the nonces are the same, the signature is authentic. In such a manner, the server may be assured of the authenticity of the client. This manner of authenticating the client is used in a variety of computer protocols, including Secure Sockets Layer (SSL) and Transport Layer Security (TLS).
One difficulty with such a PKI authentication procedure is that it may be difficult to provided delegation of client authentication in certain circumstances. For example, a request from a principal through a client may pass through a middle-tier server which, in response to the request, accesses multiple third or fourth tier servers (also referred to as back-end servers). In such a case, the middle-tier server may need to authenticate the principal or the client to multiple back-end servers. Such a delegation of authentication may difficult in light of the multiple servers for which the client may need authentication.