Distributed Access Control System (DACS) is a lightweight single sign-on and attribute-based access control system designed for web servers and server-based software, primarily enhancing security on Apache web servers. It manages access to web pages, CGI programs, servlets, and federates Apache servers. Released under an open-source license, DACS offers a modular authentication framework supporting multiple methods, coupled with a rule-based authorization engine that controls access via URLs based on user identity and context. It supports both web-based APIs and command-line interfaces, with responses in XML or JSON. Development started in 2001, with an open source release in 2005.
Authentication
DACS can use any of the following authentication methods and account types:
- X.509 client certificates via SSL
- self-issued or managed Information Cards (InfoCards) (deprecated)
- two-factor authentication
- OpenID Connect (OIDC) Relying Party
- Counter-based, time-based, or grid-based one-time passwords, including security tokens
- Unix-like systems' password-based accounts
- Apache authentication modules and their password files
- Windows NT LAN Manager (NTLM) accounts
- LDAP or Microsoft Active Directory (ADS) accounts
- RADIUS accounts
- Central Authentication Service (CAS)
- HTTP-requests (e.g., Google ClientLogin)
- PAM-based accounts
- private username/password databases with salted password hashing using SHA-1, SHA-2, or SHA-3 functions, PBKDF2, or scrypt
- imported identities
- computed identities
The extensible architecture allows new methods to be introduced.
The DACS distribution includes various cryptographic functionality, such as message digests, HMACs, symmetric and public key encryption, ciphers (ChaCha20, OpenSSL), digital signatures, password-based key derivation functions (HKDF, PBKDF2), and memory-hard key derivation functions (scrypt, Argon2), much of which is available from a simple scripting language.
DACS can also act as an Identity Provider for InfoCards and function as a Relying Party, although this functionality is deprecated.
Authorization
DACS performs access control by evaluating access control rules that are specified by an administrator. Expressed as a set of XML documents, the rules are consulted at run-time to determine whether access to a given resource should be granted or denied. As access control rules can be arbitrary computations, it combines attribute-based access control, role-based access control, policy-based access control, delegated access control, and other approaches. The architecture provides many possibilities to administrators.
See also
- Free and open-source software portal
- R. Morrison, "Web 2.0 Access Control", 2007.
- J. Falkcrona, "Role-based access control and single sign-on for Web services", 2008.
- B. Brachman, "Rule-based access control: Improve security and make programming easier with an authorization framework", 2006.
- A. Peeke-Vout, B. Low, "Spatial Data Infrastructure (SDI)-In-A-Box, a Footprint to Deliver Geospatial Data through Open Source Applications", 2007.
External links
References
"DACS: The Distributed Access Control System". https://dacs.dss.ca ↩