O'Reilly logo

Practical Internet Groupware by Jon Udell

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 12. Authentication and Authorization Techniques

In the last chapter, we built a simple update notifier. It’s based on the push/pull technique. Each message summarizes new docbase records and includes links that point back to the complete records. If those documents are intended for use only by subscribers, you’ll need to enforce some kind of access control.

In this chapter, we’ll look at ways to control access to both statically served and dynamically served documents, using either the Apache or Microsoft IIS web servers. We’ll also explore how to combine simple user-based access control with a more sophisticated attribute-based approach that’s sensitive not only to who is requesting a document, but also to what’s in the document.

We should define some terms before proceeding. By authentication I mean proving a user’s identity, typically by looking up a name/password combination in a directory. By authorization I mean proving that an authenticated user is allowed to access some protected resource.

HTTP Basic Authentication

Available with every web server, HTTP basic authentication is a very simple protocol. When a browser asks for a protected resource, the server sends back an authentication header instead, like this:

HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm=subscribers

The browser reacts to this message by presenting its standard login dialog to the user, accepting a name and password, then retrying its original request but with the addition of this header: ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required