In the last chapter, we built a simple update notifier. It’s based on the push/pull technique. Each message summarizes new docbase records and includes links that point back to the complete records. If those documents are intended for use only by subscribers, you’ll need to enforce some kind of access control.
In this chapter, we’ll look at ways to control access to both statically served and dynamically served documents, using either the Apache or Microsoft IIS web servers. We’ll also explore how to combine simple user-based access control with a more sophisticated attribute-based approach that’s sensitive not only to who is requesting a document, but also to what’s in the document.
We should define some terms before proceeding. By authentication I mean proving a user’s identity, typically by looking up a name/password combination in a directory. By authorization I mean proving that an authenticated user is allowed to access some protected resource.
Available with every web server, HTTP basic authentication is a very simple protocol. When a browser asks for a protected resource, the server sends back an authentication header instead, like this:
HTTP/1.0 401 Unauthorized WWW-Authenticate: Basic realm=subscribers
The browser reacts to this message by presenting its standard login dialog to the user, accepting a name and password, then retrying its original request but with the addition of this header: ...