Authorization
Authorization is the process by which a client's identity is verified before gaining access to documents. Authorization is essential when you have content that you wish to protect and provide only to specific approved clients.
AppWeb implements a powerful and flexible authorization mechanism that supports both the Basic and Digest authorization schemes prevalent in most browsers. It employs a unified user account and user group database for easy configuration.
Basic authentication was the original HTTP/1.0 authentication scheme. It transmits user names and passwords using a trivial encoding that is no better than using plain text.
SECURITY WARNING: You should not use Basic Authentication if at all possible. Use Digest authentication in preference if it is supported by your clients.
This example restricts access to the /basic/acme directory and all sub-directories to users whose username and password are validated against the designated user.db password file.
The AuthType directive specifies that basic authorization is being used. The AuthName directive specifies the realm of access to AppWeb. The AuthUserFile directive specifies the location of the user password file. You may use a single password file for all authorization, or you can use different files for each authorization section.
User passwords are defined for a user account / realm combination. To create passwords, see the section below that describes the httpPassword utility.
The Require directive controls how users are validated. There are three possibilities for validating users: by group name, by user-id and by any valid user name. The associated directives are:
SECURITY WARNING: it is essential that the AuthUserFile and the AuthGroupFile be stored outside the DocumentRoot or any directory serving content.
The Digest authentication scheme is a modern replacement for the Basic authorization scheme.
Why is Digest authentication better?
This example restricts access to the /basic/acme directory and all sub-directories to users whose username and password are validated against the designated user.db password file. The essential differences between this example and the Basic authorization example is the AuthType directive.
The httpPassword program is used to create user passwords in a nominated password file. Unlike Apache, AppWeb uses the same authorization file and format for Digest and Basic authentication. This simplifies administration. The file format is:
The httpPassword will create such entries in the password file. To modify entries, delete them using a text editor and then recreate them using httpPassword.
The Realm is the name specified via the AuthName directive. The EncryptedPassword is an MD5 secure hash of the user name, realm and password. Use the AppWeb utility httpPassword to create entries in the password file. Use an editor to delete entries by deleting the relevant line.
The command line syntax for httpPassword is:
The userFile option specifies the name of the user password file. The userName is the name of the user. If the -p password option is not used, httpPassword will prompt for the password. The -c option will cause httpPassword to create the password file, otherwise it will update the nominated userFile.
SECURITY WARNING: it is essential that the AuthUserFile and the AuthGroupFile be stored outside the DocumentRoot or any directory serving content.
The public Internet is not a friendly place anymore, if it ever was. It is important to take adequate precautions and secure your web content with appropriate authorization and encryption.
An ideal combination is Digest authentication to authorize users, and the SSL protocol to authenticate servers. The so-called belt and suspenders.
AppWeb implements a powerful and flexible authorization mechanism that supports both the Basic and Digest authorization schemes prevalent in most browsers. It employs a unified user account and user group database for easy configuration.
Basic Authentication
Basic authentication was the original HTTP/1.0 authentication scheme. It transmits user names and passwords using a trivial encoding that is no better than using plain text.SECURITY WARNING: You should not use Basic Authentication if at all possible. Use Digest authentication in preference if it is supported by your clients.
Basic Authentication Directives
AppWeb basic authorization is controlled by configuration file directives that may be used inside a Directory or VirtualHost block, or within the Default server configuration.
AuthType basic
AuthName "Acme Inc"
AuthUserFile users.db
Require valid-user
This example restricts access to the /basic/acme directory and all sub-directories to users whose username and password are validated against the designated user.db password file.
The AuthType directive specifies that basic authorization is being used. The AuthName directive specifies the realm of access to AppWeb. The AuthUserFile directive specifies the location of the user password file. You may use a single password file for all authorization, or you can use different files for each authorization section.
User passwords are defined for a user account / realm combination. To create passwords, see the section below that describes the httpPassword utility.
The Require directive controls how users are validated. There are three possibilities for validating users: by group name, by user-id and by any valid user name. The associated directives are:
-
Require group groupName ...
-
Require user userid ...
-
Require valid-user
SECURITY WARNING: it is essential that the AuthUserFile and the AuthGroupFile be stored outside the DocumentRoot or any directory serving content.
Digest Authentication
The Digest authentication scheme is a modern replacement for the Basic authorization scheme.
Why is Digest authentication better?
Digest Authentication Directives
AppWeb digest authorization is controlled by configuration file directives that may be used within any Directory, VirtualHost block or within the Default server configuration.
AuthType Digest
AuthName "Acme Inc"
AuthUserFile users.db
Require use roadRunner
This example restricts access to the /basic/acme directory and all sub-directories to users whose username and password are validated against the designated user.db password file. The essential differences between this example and the Basic authorization example is the AuthType directive.
httpPassword
The httpPassword program is used to create user passwords in a nominated password file. Unlike Apache, AppWeb uses the same authorization file and format for Digest and Basic authentication. This simplifies administration. The file format is:coyote:Realm:EncryptedPassword
The httpPassword will create such entries in the password file. To modify entries, delete them using a text editor and then recreate them using httpPassword.
The Realm is the name specified via the AuthName directive. The EncryptedPassword is an MD5 secure hash of the user name, realm and password. Use the AppWeb utility httpPassword to create entries in the password file. Use an editor to delete entries by deleting the relevant line.
The command line syntax for httpPassword is:
httpPassword [-c] [-p passWord] userFile realm userName
The userFile option specifies the name of the user password file. The userName is the name of the user. If the -p password option is not used, httpPassword will prompt for the password. The -c option will cause httpPassword to create the password file, otherwise it will update the nominated userFile.
SECURITY WARNING: it is essential that the AuthUserFile and the AuthGroupFile be stored outside the DocumentRoot or any directory serving content.
Belt and suspenders
The public Internet is not a friendly place anymore, if it ever was. It is important to take adequate precautions and secure your web content with appropriate authorization and encryption.An ideal combination is Digest authentication to authorize users, and the SSL protocol to authenticate servers. The so-called belt and suspenders.
Quick Nav
Basic AuthenticationDigest Authentication
Belt and Suspenders
See Also
User Guide OverviewAppWeb Architecture
Configuring AppWeb
Configuration Directives
Ports and Binding
Secure Sockets Layer (SSL)
Virtual Hosts
Creating Dynamic Web Pages
Embedded Server Pages
Using Embedded JavaScript
Using PHP
Using CGI
Loadable Modules
Handlers
HTTP Client