User Management

In password protected sites, multiple user ids with multiple levels of security may be necessary. In WebServer 2.1, these include:

  • User IDs
  • User Groups
  • URL Access Limits

A User ID contains these data elements:

    1. User Name
    2. User Password
    3. User Group (determines access rights of user)
    4. Protect
    5. Enabled

User Groups contain these data elements:

    1. Group Name (i.e., administrator, user, guest)
    2. Privileges (none, read files, administrate users)
    3. Protect
    4. Enabled

URL Access Limits are used when certain directories or URL pages on the web site have exceptionally secure access limits. If a directory has an access limit associated with it, its contents default to the directories access limit.

URL Access Limits have the following data elements:

  1. URL name (name of the web page or directory)
  2. Access Method (one of NONE, FULL, BASIC, or DIGEST)
  3. Encryption Required
  4. User Group (currently limited to one user group for simplicity)

Users having administration privileges can manage the following Users IDs and Access Limits:

  1. Add User
  2. Delete User
  3. Change Password
  4. Change User Class
  5. Add User Group
  6. Delete User Group
  7. Change Privileges
  8. Add Access Limit
  9. Delete Access Limit
  10. Change Privilege
  11. Change User Group

User Management Page Access

Whenever a browser requests a page, WebServer checks to see if there is an AccessLimit assigned to the requested page. Access Limits are usually stored in support files contained in the same directory as the requested page. If no user group is assigned to the access limit, then the default privilege takes effect with WebServer taking the following actions:

  • If the default Privilege is "none", WebServer responds with the "File not Found" header.
  • If the default Privilege is not "none", WebServer returns the page.

If a user group is assigned to the access limit, then WebServer:

    1. Sends an Authenticate response header (DAA if enabled).
    2. Waits for the receipt of Authorization Request Header from the client.
    3. Compares the user id and password with those stored in the registered context.
    4. Sends the page to the client if the user is authorized.