Chapter 12. Authentication and Authorization Techniques
In the last chapter, we built a simple update notifier. It’s based on the push/pull technique. Each message summarizes new docbase records and includes links that point back to the complete records. If those documents are intended for use only by subscribers, you’ll need to enforce some kind of access control.
In this chapter, we’ll look at ways to control access to both statically served and dynamically served documents, using either the Apache or Microsoft IIS web servers. We’ll also explore how to combine simple user-based access control with a more sophisticated attribute-based approach that’s sensitive not only to who is requesting a document, but also to what’s in the document.
We should define some terms before proceeding. By authentication I mean proving a user’s identity, typically by looking up a name/password combination in a directory. By authorization I mean proving that an authenticated user is allowed to access some protected resource.
HTTP Basic Authentication
Available with every web server, HTTP basic authentication is a very simple protocol. When a browser asks for a protected resource, the server sends back an authentication header instead, like this:
HTTP/1.0 401 Unauthorized WWW-Authenticate: Basic realm=subscribers
The browser reacts to this message by presenting its standard login dialog to the user, accepting a name and password, then retrying its original request but with the addition of this header: ...
Get Practical Internet Groupware now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
