|
|||||||||
|
Web access authorizationWeb servers can have quite sophisticated access authorization systems defined at the time they are configured. The Web has a mechanism within the HTTP protocol to indicate that a document is protected, and to require user authentication information to be included in the request for that document. If a browser makes a request without giving authentication for a document for which this mechanism is enabled, it will receive back an error response indicating an authorization failure. The browser will then ask the user for authentication details, and retry the request with those details. Files on a server that are protected by the same authentication details are sometimes referred to as being in the same realm, and are identified to browsers by a unique group identifier, known as the ServerID (CERN) or AuthName (NCSA). Most browsers supporting authentication are intelligent enough to detect when the authentication details supplied by the user can be reused, and do not ask for them repeatedly. The protocol can use different authentication schemes (methods of passing authentication information) but currently only the Basic scheme is specified, which passes the password as plain text, encoded but not encrypted. Many Web servers offer quite similar features to restrict access to parts of the document hierarchy, and these features can be used to ban access from specified sites or domains, or to restrict access to authenticated users. These features use the Internet address of the client and the HTTP authentication mechanism. Access authorization is determined by a combination of access control lists and central configuration files. This allows the Web administrator to delegate authority for access control, without losing overall control of security. The GN server is unique in its approach to authorization, in that only files specifically named in a control file will be served. It allows for restriction of access based on the Internet address of the client, but does not support access authorization based on user authentication.
Next: CERN server access Up: Security Previous: Web-specific security issues
Spinning the Web by Andrew Ford |
||||||
Copyright © 1996-2002 Ford & Mason Ltd |