Authorization

Authorization is the process by which a client's identity is verified before gaining access to documents. Authorization is essential when you have content that you wish to protect and provide only to specific approved clients.

AppWeb implements a powerful and flexible authorization mechanism that supports both the Basic and Digest authorization schemes prevalent in most browsers. It employs a unified user account and user group database for easy configuration.

Basic Authentication

Basic authentication was the original HTTP/1.0 authentication scheme. It transmits user names and passwords using a trivial encoding that is no better than using plain text.

SECURITY WARNING: You should not use Basic Authentication if at all possible. Use Digest authentication in preference if it is supported by your clients.

Basic Authentication Directives

AppWeb basic authorization is controlled by configuration file directives that may be used inside a Directory or VirtualHost block, or within the Default server configuration.


AuthType basic
AuthName "Acme Inc"
AuthUserFile users.db
Require valid-user


This example restricts access to the /basic/acme directory and all sub-directories to users whose username and password are validated against the designated user.db password file.

The AuthType directive specifies that basic authorization is being used. The AuthName directive specifies the realm of access to AppWeb. The AuthUserFile directive specifies the location of the user password file. You may use a single password file for all authorization, or you can use  different files for each authorization section.

User passwords are defined for a user account / realm combination. To create passwords, see the section below that describes the httpPassword utility.

The Require directive controls how users are validated. There are three possibilities for validating users: by group name, by user-id and by any valid user name. The associated directives are:
  • Require group groupName ...

  • Require user userid ...

  • Require valid-user

NOTE: the Apache style server authorization using Allow and Deny directives is not supported.

SECURITY WARNING: it is essential that the AuthUserFile and the AuthGroupFile be stored outside the DocumentRoot or any directory serving content.

Digest Authentication


The Digest authentication scheme is a modern replacement for the Basic authorization scheme.

Why is Digest authentication better?


Digest Authentication Directives

AppWeb digest authorization is controlled by configuration file directives that may be used within any Directory, VirtualHost block or within the Default server configuration.


AuthType Digest
AuthName "Acme Inc"
AuthUserFile users.db
Require use roadRunner


This example restricts access to the /basic/acme directory and all sub-directories to users whose username and password are validated against the designated user.db password file. The essential differences between this example and the Basic authorization example is the AuthType directive.

httpPassword

The httpPassword program is used to create user passwords in a nominated password file. Unlike Apache, AppWeb uses the same authorization file and format for Digest and Basic authentication. This simplifies administration. The file format is:

coyote:Realm:EncryptedPassword 

The httpPassword will create such entries in the password file. To modify entries, delete them using a text editor and then recreate them using httpPassword.

The Realm is the name specified via the AuthName directive. The EncryptedPassword is an MD5 secure hash of the user name, realm and password. Use the AppWeb utility httpPassword to create entries in the password file. Use an editor to delete entries by deleting the relevant line.

The command line syntax for httpPassword is:

httpPassword [-c] [-p passWord] userFile realm userName

The userFile option specifies the name of the user password file. The userName is the name of the user. If the -p password option is not used, httpPassword will prompt for the password. The -c option will cause httpPassword to create the password file, otherwise it will update the nominated userFile.

SECURITY WARNING: it is essential that the AuthUserFile and the AuthGroupFile be stored outside the DocumentRoot or any directory serving content.

Belt and suspenders

The public Internet is not a friendly place anymore, if it ever was. It is important to take adequate precautions and secure your web content with appropriate authorization and encryption.

An ideal combination is Digest authentication to authorize users, and the SSL protocol to authenticate servers. The so-called belt and suspenders.






© Mbedthis Software LLC, 2003-2204. All rights reserved. Mbedthis is a trademark of Mbedthis Software LLC.