Next: CERN server access Up: Security Previous: Web-specific security issues

Web access authorization

Web servers can have quite sophisticated access authorization systems defined at the time they are configured.

The Web has a mechanism within the HTTP protocol to indicate that a document is protected, and to require user authentication information to be included in the request for that document. If a browser makes a request without giving authentication for a document for which this mechanism is enabled, it will receive back an error response indicating an authorization failure. The browser will then ask the user for authentication details, and retry the request with those details.

Files on a server that are protected by the same authentication details are sometimes referred to as being in the same realm, and are identified to browsers by a unique group identifier, known as the ServerID (CERN) or AuthName (NCSA). Most browsers supporting authentication are intelligent enough to detect when the authentication details supplied by the user can be reused, and do not ask for them repeatedly. The protocol can use different authentication schemes (methods of passing authentication information) but currently only the Basic scheme is specified, which passes the password as plain text, encoded but not encrypted.

Many Web servers offer quite similar features to restrict access to parts of the document hierarchy, and these features can be used to ban access from specified sites or domains, or to restrict access to authenticated users. These features use the Internet address of the client and the HTTP authentication mechanism. Access authorization is determined by a combination of access control lists and central configuration files. This allows the Web administrator to delegate authority for access control, without losing overall control of security.

The GN server is unique in its approach to authorization, in that only files specifically named in a control file will be served. It allows for restriction of access based on the Internet address of the client, but does not support access authorization based on user authentication.

• CERN server access protection
  • Protection set-ups
  • Server password files
  • Server group files
  • Access Control List files
• NCSA server access protection
  • Configuring directory options
  • Authorization configuration
  • Limiting directives
• Access protection with the GN server
  • Host access control files

Spinning the Web by Andrew Ford
© 1995 International Thomson Publishing
© 2002 Andrew Ford and Ford & Mason Ltd
Note: this HTML document was generated in December 1994 directly from the LaTeX source files using LaTeX2HTML. It was formatted into our standard page layout using the Template Toolkit. The document is mainly of historical interest as obviously many of the sites mentioned have long since disappeared.