User Management Overview

For a totally password protected site ( typical for remote management applications), it is desirable to have multiple user IDs with multiple security levels. The web server would have known users, who would enter passwords to obtain web server access. In addition, individual pages or groups of pages on the web server may have special security requirements.

Access Authentication

Whenever a web browser attempts to access a page on a server that requires a user ID and password, a browser and server dialog begins that is called "Access Authentication". Two kinds of Access Authentication are used: Basic (BAA) and Digest (DAA).

The web browser presentation for Digest Access Authentication is the same as for Basic Access Authentication: the user typically is prompted for a user ID and password before obtaining access to a URL. The difference between the two is behind the scenes. In the case of Basic Access, passwords are sent as clear text. Digest Access is different in that a "digest" is sent, typically created by the RSA Data Security, Inc. MD5 Message-Digest Algorithm that takes the user ID, the password and a "realm value" as arguments.

In WebServer 2.1, both types of Access Authentication are supported. URL pages can have an "Access Method" associated with them that determines how the page is accessed. These are as follows:

NONE - the URL page cannot be accessed.
FULL - the URL can always be accessed, without authentication.
BASIC - BAA is required before the page can be accessed.
DIGEST - DAA is required before the page can be accessed.

Users

The user management configuration database contains a user table containing user records with these data elements:

User ID - uniquely identifies a user
User Password - encrypted in local storage
User Group - determines a user's access rights
Protected - determines if the user record can be deleted
Enabled - determines if the user record can be used

User Groups

The user management configuration database contains a table for user groups with the following data elements:

Group Name - uniquely identifies a group (e.g.; "administrators" or "guests").
Privileges - can be one or more of none, read-files, execute-files, and administrate
Default Access Method - determines the access method for members of this group
Protected - determines if the user record can be deleted
Enabled - determines if the user record can be used

URL Access Limits

The user management configuration database contains a table for URL access limits. Access Limits are used when certain directories or URL pages on the web site have exceptionally secure access limits. If a directory has an access limit associated with it, its contents will have the same access limit as the directory, unless there is a specific access limit for a specific page.

Access Limits have these data elements:

URL Name - defines the file path of the web page or directory
Default Access Method - determines how the page should be accessed
Encryption Required - determines if the page should be transmitted encrypted
User Group - optionally limits access to the page to a specific user group

User Management and Access to URLs

When a page is requested, WebServer will check to see if there is a URL Access Limit assigned for the requested page. If an Access Limit is found, then the following checks are made:

If no user group is assigned to the access limit, then the default access method takes effect. In this case, the web server takes these actions:

If Default Access Method is NONE, respond with a File not Found header.
If Default Access Method is FULL, returns the requested page.
If Default Access Method is BASIC or DIGEST and there is a user ID and password in the request that check out, returns the requested page. Otherwise, it returns an Authenticate Response Header.

If there is a user group assigned to the access limit, then the previous actions would be taken, but would use the group's access method for the requested page.