[0001]
[0002]
[0003]
[0004]
[0005]
[0006]
[0007]
[0008]
[0009]
[0010]
[0011]
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021]
[0022]
[0023]
[0024]
[0025]
[0026]
[0027]
[0028]
[0029]
[0030]
[0031]
[0032]
[0033]
[0034]
[0035]
[0036]
[0037]
[0038]
[0039]
[0040]
[0041]
[0042]
[0043]
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056]
[0057]
[0058]
[0059]
[0060]
[0061]
[0062]
[0063]
[0064]
[0065]
[0066]
[0067]
[0068]
[0069]
[0070]
[0071]
[0072]
[0073]
[0074]
[0075]
[0076]
[0077]
[0078]
[0079]
[0080]
[0081]
[0082]
[0083]
[0084]
[0085]
[0086]
[0087]
[0088]
[0089]
[0090]
[0091]
[0092]
[0093]
[0094]
[0095]
[0096]
[0097]
[0098]
[0099]
[0100]
[0101]
[0102]
[0103]
[0104]
[0105]
[0106]
[0107]
[0108]
[0109]
[0110]
[0111]
[0112]
[0113]
[0114]
[0115]
[0116]
[0117]
[0118]
[0119]
[0120]
[0121]
[0122]
[0123]
[0124]
[0125]
[0126]
[0127]
[0128]
[0129]
[0130]
[0131]
[0132]
[0133]
[0134]
[0135]
[0136]
[0137]
[0138]
[0139]
[0140]
[0141]
[0142]
[0143]
[0144]
[0145]
[0146]
[0147]
[0148]
[0149]
[0150]
[0151]
[0152]
[0153]
[0154]
[0155]
[0156]
[0157]
[0158]
[0159]
[0160]
[0161]
[0162]
[0163]
[0164]
[0165]
[0166]
[0167]
[0168]
[0169]
[0170]
[0171]
[0172]
[0173]
[0174]
[0175]
[0176]
[0177]
[0178]
[0179]
[0180]
[0181]
[0182]
[0183]
[0184]
[0185]
[0186]
[0187]
[0188]
[0189]
[0190]
[0191]
[0192]
[0193]
[0194]
[0195]
[0196]
[0197]
[0198]
[0199]
[0200]
[0201]
[0202]
[0203]
[0204]
[0205]
[0206]
[0207]
[0208]
[0209]
[0210]
[0211]
[0212]
[0213]
[0214]
[0215]
[0216]
[0217]
[0218]
[0219]
[0220]
[0221]
[0222]
[0223]
[0224]
[0225]
[0226]
[0227]
[0228]
[0229]
[0230]
[0231]
[0232]
[0233]
[0234]
[0235]
[0236]
[0237]
[0238]
[0239]
[0240]
[0241]
[0242]
[0243]
[0244]
[0245]
[0246]
[0247]
[0248]
[0249]
[0250]
[0251]
[0252]
[0253]
[0254]
[0255]
[0256]
[0257]
[0258]
[0259]
[0260]
[0261]
[0262]
[0263]
[0264]
[0265]
[0266]
[0267]
[0268]
[0269]
[0270]
[0271]
[0272]
[0273]
[0274]
[0275]
[0276]
[0277]
[0278]
[0279]
[0280]
[0281]
[0282]
[0283]
[0284]
[0285]
[0286]
[0287]
[0288]
[0289]
[0290]
[0291]
[0292]
[0293]
[0294]
[0295]
[0296]
[0297]
[0298]
[0299]
[0300]
[0301]
[0302]
[0303]
[0304]
[0305]
[0306]
[0307]
[0308]
[0309]
[0310]
[0311]
[0312]
[0313]
[0314]
[0315]
[0316]
[0317]
[0318]
[0319]
[0320]
[0321]
[0322]
[0323]
[0324]
[0325]
[0326]
[0327]
[0328]
[0329]
[0330]
[0331]
[0332]
[0333]
[0334]
[0335]
[0336]
[0337]
[0338]
[0339]
[0340]
[0341]
[0342]
[0343]
[0344]
[0345]
[0346]
[0347]
[0348]
[0349]
[0350]
[0351]
[0352]
[0353]
[0354]
[0355]
[0356]
[0357]
[0358]
[0359]
[0360]
[0361]
[0362]
[0363]
[0364]
[0365]
[0366]
[0367]
[0368]
[0369]
[0370]
[0371]
[0372]
[0373]
[0374]
[0375]
[0376]
[0377]
[0378]
[0379]
[0380]
[0381]
[0382]
[0383]
[0384]
[0385]
[0386]
[0387]
[0388]
[0389]
[0390]
[0391]
[0392]
[0393]
[0394]
[0395]
[0396]
[0397]
[0398]
[0399]
[0400]
[0401]
[0402]
[0403]
[0404]
[0405]
[0406]
[0407]
[0408]
[0409]
[0410]
[0411]
[0412]
[0413]
[0414]
[0415]
[0416]
[0417]
[0418]
[0419]
[0420]
[0421]
[0422]
[0423]
[0424]
[0425]
[0426]
[0427]
[0428]
[0429]
[0430]
[0431]
[0432]
[0433]
[0434]
[0435]
[0436]
[0437]
[0438]
[0439]
[0440]
[0441]
[0442]
[0443]
[0444]
[0445]
[0446]
[0447]
[0448]
[0449]
[0450]
[0451]
[0452]
[0453]
[0454]
[0455]
[0456]
[0457]
[0458]
[0459]
[0460]
[0461]
[0462]
[0463]
[0464]
[0465]
[0466]
[0467]
[0468]
[0469]
[0470]
[0471]
[0472]
[0473]
[0474]
[0475]
[0476]
[0477]
[0478]
[0479]
[0480]
[0481]
[0482]
[0483]
[0484]
[0485]
[0486]
[0487]
[0488]
[0489]
[0490]
[0491]
[0492]
[0493]
[0494]
[0495]
[0496]
[0497]
[0498]
[0499]
[0500]
[0501]
[0502]
[0503]
[0504]
[0505]
[0506]
[0507]
[0508]
[0509]
[0510]
[0511]
[0512]
[0513]
[0514]
[0515]
[0516]
[0517]
[0518]
[0519]
[0520]
[0521]
[0522]
[0523]
[0524]
[0525]
[0526]
[0527]
[0528]
[0529]
[0530]
[0531]
[0532]
[0533]
<!DOCTYPE html>
<!-- WASDOC AXP-2.0.0 (CGILIB AXP-1.9.9) -->
<!-- wasDOC Copyright (C) 2019,2020 Mark G.Daniel - Apache-2.0 licenced -->
<!-- 3-NOV-2021 02:50 -->
<noscript>NOTE: SOME FUNCTIONALITY EMPLOYS JAVASCRIPT</noscript>
<div id="erreport1" style="display:none;"></div>
<script>
function errorReport(string) {
for (var cnt = 1; cnt <= 2; cnt++) {
var err = document.getElementById('erreport'+cnt);
err.style.display = 'block';
err.innerHTML += string;
}
}
</script>
<style type="text/css">
html { font-family: arial, verdana, sans-serif; font-size:12pt; margin:1em; }
h1 { font-size:124%; font-style:bold;
margin-top:1em; margin-bottom:0.5em; }
h2 { font-size:120%; font-style:bold;
margin-top:1.1em; margin-bottom:0.4em; }
h3 { font-size:116%; font-style:bold;
margin-top:1.0em; margin-bottom:0.3em; }
h4 { font-size:112%; font-style:bold;
margin-top:1.1em; margin-bottom:0.3em; }
h5 { font-size:112%; font-style:bold;
margin-top:1.1em; margin-bottom:0.3em; }
h6 { font-size:112%; font-style:bold; padding:0; margin:0; }
h1 .text { text-decoration:underline; }
h1 .numb { padding-right:0.8em; }
h1 .numb:empty { display:none; padding-right:0; }
h2 .numb { padding-right:0.8em; }
h2 .numb:empty { display:none; padding-right:0; }
h3 .numb { padding-right:0.8em; }
h3 .numb:empty { display:none; padding-right:0; }
h4 .numb { padding-right:0.8em; }
h4 .numb:empty { display:none; padding-right:0; }
h5 .numb { display:none; padding-right:0; }
h6 .numb { display:none; padding-right:0; }
kbd { font-family:monospace; }
noscript { font-size:1.2em; }
p { line-height:1.1em; margin-top:1em; margin-bottom:1em; }
.chunk { font-size:130%; text-decoration:underline; }
.head {}
.high {}
.bold { font-weight:bold; }
.center { text-align:center; }
.italic { font-style:italic; }
.left { text-align:left; }
.nowrap { white-space:nowrap; }
.prewrap { white-space:pre; }
.right { text-align:right; }
.strike { text-decoration:line-through; }
.under { text-decoration:underline; }
.backlight { background-color:#f2f2f2; }
.display0 { display:none; }
img { max-width:100%; }
.imglink { }
.link { }
.blank { }
.list { margin-bottom:1em; }
.list li { margin-top:0.5em; }
.list0 li { margin-top:0; }
.item {}
.tabl { border-collapse:collapse; text-align:left; margin:0.4em 2em 0.5em 2em; }
.tabu { border-collapse:collapse; text-align:right; margin:0.4em 2em 0.5em 2em; }
.tabr { vertical-align:top; }
.tabh { padding:0.2em 0 0 2em; margin:0; }
.tabd { padding:0.1em 0 0 2em; margin:0; }
.tabh:first-of-type, td:first-of-type { padding-left:0; }
.tabu .tabh,
.tabu .tabd { border:1px solid gray; padding:0.2em 0.3em 0.2em 0.3em; }
.tab0 { border:none; visibility:hidden; max-width:1em;
white-space:nowrap; overflow:hidden; }
.tabauto { margin-left:auto; margin-right:auto; }
.tabr:empty { height:0.2em; }
.tabu .tabh:empty, .tabu .tabd:empty { border:none; visibility:hidden; }
.error { font-size:110%; color:black; background-color:yellow;
font-family:sans-serif; font-weight:bold; font-style:normal;
width:95%; border:solid 1px gray; padding:0.5em 1em 0.5em 1em; }
.error::before { content:'\026a0\00a0'; }
.image { }
.page { width:98%; border:1px dashed gray; margin:1.5em 0 1.8em 0; }
.epage { width:98%; border:1px dashed black; margin:1.5em 0 1.8em 0; }
.monosp { font-family:monospace; }
.ppage { display:none; }
.simple { list-style-type:none; }
.valtop { vertical-align:top; }
.valmid { vertical-align:middle; }
.valbot { vertical-align:bottom; }
.code { border-style:solid; border-width:0 0 0 1px; padding-left:1em;
font-family:monospace; white-space:pre; }
.block { }
.blockof { margin:0.4em 2em 0.5em 2em; }
.example { border-style:dashed; border-width:0 0 0 1px; padding-left:1em;
margin-top:0.5em; margin-bottom:0.5em; white-space:pre; }
.indent { margin-left:2em; margin-right:2em; }
.noindent { margin-left:0; margin-right:0; }
.inblock { display:inline-block; }
.mono { white-space:pre; font-family:monospace; }
.note { margin:0.4em 2em 0.5em 2em; page-break-inside:avoid; }
.note h5 { margin-top:0 }
.note_hr { width:80%; border:1px solid gray; }
.prop { padding-left:1em; margin-top:0.5em; margin-bottom:0.5em; }
.quote { border-style:dashed; border-width:0 0 0 1px; padding-left:1em;
margin-top:0.5em; margin-bottom:0.5em; }
.this { display:none; }
a:link,a:visited { color:black; text-decoration:none; }
a:hover,a:active { text-decoration:underline; }
a:focus { outline:0; }
:target:before { content:''; display:block; height:0.1em; margin:-0.1em; }
a.link:link, a.link:visited,a.link:active
{ color:midnightBlue; text-decoration:underline; text-decoration-style:solid; }
.TOC1cols1 { width:80%; max-width:80%; }
.TOC1cols2 { column-count:2; width:80%; max-width:80%; }
.TOC1cols3 { column-count:3; max-width:90%; max-width:90%; }
.TOC1cols4 { column-count:4; max-width:100%; max-width:100%; }
.TOC1table { margin-left:2em; white-space:nowrap; break-inside:auto; }
.TOC1table tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; }
.TOC1table td+td { padding:0 0 0 0.5em; }
.TOC1table .numb { width:3em; max-width:3em; }
.TOC1table .sepr { width:5em; max-width:6em; overflow:hidden; }
.TOC1table .majr { font-weight:bold; }
.TOC1table .text { white-space:normal; }
/* These are due to Firefox (at least <= 76) recalcitrant multi-column handling.
Web search "Split table into css columns, issue in Firefox" (stackoverflow).
"Good grief, Charlie Brown!" */
.TOC1cols2 table,
.TOC1cols2 tbody,
.TOC1cols2 tr,
.TOC1cols3 table,
.TOC1cols3 tbody,
.TOC1cols3 tr,
.TOC1cols4 table,
.TOC1cols4 tbody,
.TOC1cols4 tr { display:block; padding:0; }
.TOC2cols1 { width:60%; max-width:60%; }
.TOC2cols2 { column-count:2; width:70%; max-width:70%; }
.TOC2cols3 { column-count:3; width:80%; max-width:80%; }
.TOC2cols4 { column-count:4; width:90%; max-width:90%; }
.TOC2table { margin-left:2em; white-space:nowrap; break-inside:auto; }
.TOC2table tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; }
.TOC2table .numb { font-weight:bold; padding-right:0.5em; }
.TOC2table .text { width:100%; white-space:normal; }
/* see "recalcitrant" above */
.TOC2cols2 table,
.TOC2cols2 tbody,
.TOC2cols2 tr,
.TOC2cols3 table,
.TOC2cols3 tbody,
.TOC2cols3 tr,
.TOC2cols4 table,
.TOC2cols4 tbody,
.TOC2cols4 tr { display:block; padding:0; }
.NAVtable { margin:0.1em 0 0 2em; }
.NAVtable td { font-size:110%; font-weight:bold; padding:0; margin:0; }
.NAVtable a { padding:0 0.5em 0 0.5em; text-decoration:none; }
.IDXcols1 { width:80%; max-width:80%; }
.IDXcols2 { column-count:2; width:90%; max-width:90%; }
.IDXcols3 { column-count:3; width:95%; max-width:95%; }
.IDXcols4 { column-count:4; width:100%; max-width:100%; }
.IDXtable { margin:1em 0 1em 2em; white-space:nowrap; break-inside:auto; }
.IDXtable tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; }
.IDXtable .alpha { font-weight:bold; min-width:2em; }
.IDXtable .text { width:100%; white-space:normal; }
.IDXtable .para:before { content:'\00b6\00a0'; }
/* see "recalcitrant" above */
.IDXcols2 table,
.IDXcols2 tbody,
.IDXcols2 tr,
.IDXcols3 table,
.IDXcols3 tbody,
.IDXcols3 tr,
.IDXcols4 table,
.IDXcols4 tbody,
.IDXcols4 tr { display:block; padding:0; }
.insight { background-color:cyan; font-family:monospace;
padding:0 0.2em 0 0.2em; margin:0 0.2em 0 0.2em;
font-size:100%; font-style:normal; font-weight:normal;
text-decoration:none; }
.wasdoc { font-family: "Lucida Console", Monaco, monospace;
letter-spacing:-0.07em; }
@media screen { .blank::after { content:"\2924"; }
.print { display:none; }
}
@media print {
table { page-break-inside:avoid; }
.noprint { display:none; }
.page { border:none; page-break-after: always; }
.epage { display:none; }
.ppage { page-break-after:always; }
.NAVtable { display:none; }
.NAVprint { display:block!important; }
}
@page { margin:2cm 1cm 2cm 1cm; }
</style>
<!-- source:0000_config.wasdoc -->
<style type="text/css">._smiley::after { font-size:150%; vertical-align:middle; content:'\263a' }</style>
<style type="text/css">._frowny::after { font-size:150%; vertical-align:middle; content:'\2639' }</style>
<a id="0." href="#"></a>
<title>WASD Configuration – Authorization Configuration (Basics)</title>
<a id="11." href="#"></a>
<a id="11.authorizationconfigurationbasics" href="#"></a>
<a id="authorizationconfigurationbasics" href="#"></a>
<h1 class="head chunk">WASD Configuration</h1>
<h1 class="head"><span class="numb">11.</span><span class="text">Authorization Configuration (Basics)</span></h1>
<table class="TOC2table">
<tr><td><a href="config011.html#11.1.sysuafidentifierauthentication"><span class="numb">11.1</span><span class="text">SYSUAF/Identifier Authentication</span></a>
<tr><td><a href="config011.html#11.2.otherauthentication"><span class="numb">11.2</span><span class="text">Other Authentication</span></a>
<tr><td><a href="config011.html#11.3.readandwritegroupings"><span class="numb">11.3</span><span class="text">Read and Write Groupings</span></a>
<tr><td><a href="config011.html#11.4.considerations"><span class="numb">11.4</span><span class="text">Considerations</span></a>
</table>
</div>
<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">↩︎</a>
<td><a href="config010.html#10.">↖︎</a>
<td><a href="config000.html#0.">↑︎</a>
<td><a href="config012.html#12.">↘︎</a>
<td><a href="javascript:window.history.forward();">↪︎</a>
</table>
<p> WASD offers a comprehensive and versatile authentication and authorization
environment. A little too comprehensive, often leaving the new administrator
wondering where to begin. The role of this chapter is to provide a starting
place, especially for sources of authentication, along with some basic
configurations.
<a class="link blank" target="_blank" href="../features/#authenticationandauthorization">Authentication and Authorization</a> of
<a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>
contains a detailed explanation of all
aspects. All examples here assume a standard installation and environment.
<p> Just to clarify. <span class="high bold">Authentication</span> is the verification of a user's identity,
usually through username/password credentials. <span class="high bold">Authorization</span> is allowing a
certain action to be applied to a particular path based on that identity.
<p> Changes to the authorization configuration file can be validated at the
command-line before reload or restart. This detects and reports any
syntactical and configuration errors but of course cannot check the
<span class="high italic">intent</span> of the rules.
<div class="blockof code">$ HTTPD /DO=AUTH=CHECK
</div>
<p> If additional server startup qualifiers are required to enable specific
authorization features then these must also be provided when checking. For
example:
<div class="blockof code">$ HTTPD /DO=AUTH=CHECK /SYSUAF /PROFILE
</div>
<p> A server's currently loaded authorization rules may also be interrogated
from the Server Administration menu (see
<a class="link blank" target="_blank" href="../features/#serveradministration">Server Administration</a> of
<a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>).
<a id="11.1" href="#"></a>
<a id="11.1.sysuafidentifierauthentication" href="#"></a>
<a id="sysuafidentifierauthentication" href="#"></a>
<h2 class="head"><span class="numb">11.1</span><span class="text">SYSUAF/Identifier Authentication</span></h2>
<p> This setup allows any active account to authenticate using the local VMS
username and password. By default not every account may authenticate this way,
only those holding specified VMS rights identifiers. The examples provided in
this section allows access to the WASD online Server Administration facility,
and so may be followed specifically for that purpose, as well as serve as a
general guide.
<ul class="list">
<li class="item"> Define the following logical before calling the server startup
procedure. To make such a definition permanent add it to the system or Web
environment startup procedures. This logical contains a startup qualifier that
configures the server to allow authentication from the SYSUAF, using VMS rights
identifiers
(<a class="link blank" target="_blank" href="../features/#authenticationpolicy">Authentication Policy</a> of
<a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>).
<div class="blockof code">$ DEFINE /SYSTEM WASD_STARTUP_SERVER "/SYSUAF=ID"
$ @<span class="high italic">device</span>:[WASD_ROOT.LOCAL]STARTUP.COM
</div>
After a change to a command-line qualifier of the server such as the above
it needs to be restarted using the following directive.
<div class="blockof code">$ HTTPD/DO=RESTART
</div>
<li class="item"> Decide on an identifier name. This can be an existing identifier, or
one created for the purpose. For this example the identifier will be
"WASD_WEBADMIN". Any identifier can be created using actions similar to the
following example.
<div class="blockof code">$ SET DEFAULT SYS$SYSTEM
$ MCR AUTHORIZE
UAF> ADD /IDENTIFIER WASD_WEBADMIN
</div>
<li class="item"> Modify the authorization configuration file, accessed by the server
using the system logical WASD_CONFIG_AUTH, to contain the following. This
allows full access to the online Server Administration facility and [.LOCAL]
directory (and no world access). Additional paths may be added as required,
and of course multiple identifiers may be created and used for multiple realms
and paths.
<div class="blockof code">["Web Admin"=WASD_WEBADMIN=id]
/httpd/-/admin/* r+w
/wasd_root/local/* r+w
</div>
<li class="item"> The identifier must then be granted to those accounts allowed to
authenticate in this way.
<div class="blockof code">$ SET DEFAULT SYS$SYSTEM
$ MCR AUTHORIZE
UAF> GRANT /IDENTIFIER WASD_WEBADMIN SYSTEM
</div>
<li class="item"> Using this approach useful discrimination may be exercised. For
instance, one identifier for Web administrators, another (or others) for
different authentication requirements.
<div class="blockof code">["Web Admin"=WASD_WEBADMIN=id]
/wasd_root/local/* r+w
/httpd/-/admin/* r+w
["Area Access"=<span class="high italic">area-identifier-name</span>=id]
/web/area/* r+w ; r
</div>
<p> Of course the one account may hold multiple identifiers and so may have
access to various areas.
<div class="blockof code">UAF> GRANT /IDENTIFIER WASD_WEBADMIN SYSTEM
UAF> GRANT /IDENTIFIER <span class="high italic">area-identifier-name</span> SYSTEM
</div>
<p> Using VMS rights identifiers allows significant granularity in providing
access.
</ul>
<a id="11.1.0.0.1" href="#"></a>
<a id="11.1.afterchanges" href="#"></a>
<a id="afterchanges" href="#"></a>
<h5 class="head"><span class="text">After Changes</span></h5>
<p> If the WASD_CONFIG_AUTH configuration file is changed, or rights identifiers are
granted or revoked from accounts, the server should be directed to reload the
file and purge any cached authorization information.
<div class="blockof code">$ HTTPD/DO=AUTH=LOAD
$ HTTPD/DO=AUTH=PURGE
</div>
<a id="11.2" href="#"></a>
<a id="11.2.otherauthentication" href="#"></a>
<a id="otherauthentication" href="#"></a>
<h2 class="head"><span class="numb">11.2</span><span class="text">Other Authentication</span></h2>
<p> Other sources of authentication are available, either by themselves or used
in the same configuration file (different realms and paths) as those already
discussed
(<a class="link blank" target="_blank" href="../features/#authenticationsources">Authentication Sources</a> of
<a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>).
Non-SYSUAF sources do not require any startup qualifier to be enabled.
<ul class="list">
<li class="item"> <span class="high bold">ACME</span> DOIs (Authentication and Credential Management Extension,
Domains of Interpretation) may be used to authenticate requests.
<div class="blockof code">["Whatever you want to call it!"=<span class="high italic">doi</span>=ACME]
/web/area/* r+w
</div>
<li class="item"> <span class="high bold">Simple lists</span> contain usernames and unencrypted passwords. These are
plain-text files, created and modified using any desired editor.
<div class="blockof code">["Whatever you want to call it!"=<span class="high italic">list-name</span>=list]
/web/area/* r+w
</div>
<p> This is a <span class="high under">very</span> simple arrangement, with little inherent security. Lists
are more useful when grouping names together for specifying which group may do
what to where.
<li class="item"> <span class="high bold">HTA databases</span> are WASD-specific, binary repositories of usernames,
encrypted passwords, capabilities, user and other detail.
<div class="blockof code">["Whatever you want to call it!"=<span class="high italic">HTA-database-name</span>=HTA]
/web/area/* r+w
</div>
<p> These databases may be administered using the online Server Administration
facility
(<a class="link blank" target="_blank" href="../features/#httpdserverrevise">HTTPd Server Revise</a> of
<a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>).
or the HTAdmin command-line utility
(<a class="link blank" target="_blank" href="../features/#htadmin">HTAdmin</a> of
<a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>).
are quite secure and versatile.
<li class="item"> <span class="high bold">External agents</span> are authentication and authorization scripts executed
on demand, under the control-of but external to the server. It is possible for
a site to write its own, custom authorization agent.
<div class="blockof code">["Whatever you want to call it!"=<span class="high italic">agent-name</span>=agent]
/web/area/* r+w
</div>
Two variations on a versatile LDAP authenticator and a CEL-compatible
authenticator, along with example code is available in the
<a class="link blank" target="_blank" href="/wasd_root/src/agent/"">WASD_ROOT:[SRC.AGENT]</a> directory.
<li class="item"> <span class="high bold">X.509</span> establishes identity based on Public Key
Infrastructure (PKI) authentication certificates. This is only available for
SSL transactions.
<div class="blockof code">[X509]
/web/area/* r+w
</div>
<li class="item"> <span class="high bold">RFC1413</span> IETF document describes an identification protocol that can
be used as a form of <span class="high italic">authentication</span> within this realm.
<div class="blockof code">["Whatever you want to call it!"=RFC1413;A_PROJECT=list]
/web/area/* r+w ; r
</div>
</ul>
<a id="11.3" href="#"></a>
<a id="11.3.readandwritegroupings" href="#"></a>
<a id="readandwritegroupings" href="#"></a>
<h2 class="head"><span class="numb">11.3</span><span class="text">Read and Write Groupings</span></h2>
<p> WASD allows separate sources for groups of usernames to control read and
write access in a particular realm
(<a class="link blank" target="_blank" href="../features/#realmfullaccessreadonly">Realm, Full-Access, Read-Only</a> of
<a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>).
<p> These groups may be provided via simple lists, VMS identifiers, HTA
databases and authorization agents. The following example shows an identifier
authenticated realm with full and read-only access controlled by two simple
lists. For the first path the world has no access, for the second read-only
access (with the read-only grouping becoming basically redundant information).
<div class="blockof code">["Realm Name"=<span class="high italic">identifier_name</span>=id;<span class="high italic">full_access_name</span>=list;<span class="high italic">read-only_name</span>=list]
/web/area/* r+w ;
/web/another-area/* r+w ; r
</div>
<a id="11.4" href="#"></a>
<a id="11.4.considerations" href="#"></a>
<a id="considerations" href="#"></a>
<h2 class="head"><span class="numb">11.4</span><span class="text">Considerations</span></h2>
<p> Multiple authentication sources (realms) may be configured in the one
WASD_CONFIG_AUTH file.
<p> Multiple paths may be mapped against a single authentication source.
<p> Any path may be mapped only once (for any single virtual service).
<p> Paths may have additional access restrictions placed on them, including
client host name, username, etc.
(<a class="link blank" target="_blank" href="../features/#accessrestrictionkeywords">Access Restriction Keywords</a> of
<a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>).
<p> The configuration file is loaded and stored by the server at startup. If
changed it must be reloaded to take effect. This can be done manually using
<div class="blockof code">$ HTTPD/DO=AUTH=LOAD
</div>
<p> Authentication information is cached. Access subsequently removed or
modified will not take effect until the entry expires, or is manually purged
using
<div class="blockof code">$ HTTPD/DO=AUTH=PURGE
</div>
<p> Failed attempts to authenticate against a particular source are limited.
When this is exceeded access is always denied. If this has happened the cache
must be manually purged before a user can successfully authenticate
<div class="blockof code">$ HTTPD/DO=AUTH=PURGE
</div>
<!-- source:1400_INDEX.WASDOC -->
<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">↩︎</a>
<td><a href="config010.html#10.">↖︎</a>
<td><a href="config000.html#0.">↑︎</a>
<td><a href="config012.html#12.">↘︎</a>
<td><a href="javascript:window.history.forward();">↪︎</a>
</table>