[0001] [0002] [0003] [0004] [0005] [0006] [0007] [0008] [0009] [0010] [0011] [0012] [0013] [0014] [0015] [0016] [0017] [0018] [0019] [0020] [0021] [0022] [0023] [0024] [0025] [0026] [0027] [0028] [0029] [0030] [0031] [0032] [0033] [0034] [0035] [0036] [0037] [0038] [0039] [0040] [0041] [0042] [0043] [0044] [0045] [0046] [0047] [0048] [0049] [0050] [0051] [0052] [0053] [0054] [0055] [0056] [0057] [0058] [0059] [0060] [0061] [0062] [0063] [0064] [0065] [0066] [0067] [0068] [0069] [0070] [0071] [0072] [0073] [0074] [0075] [0076] [0077] [0078] [0079] [0080] [0081] [0082] [0083] [0084] [0085] [0086] [0087] [0088] [0089] [0090] [0091] [0092] [0093] [0094] [0095] [0096] [0097] [0098] [0099] [0100] [0101] [0102] [0103] [0104] [0105] [0106] [0107] [0108] [0109] [0110] [0111] [0112] [0113] [0114] [0115] [0116] [0117] [0118] [0119] [0120] [0121] [0122] [0123] [0124] [0125] [0126] [0127] [0128] [0129] [0130] [0131] [0132] [0133] [0134] [0135] [0136] [0137] [0138] [0139] [0140] [0141] [0142] [0143] [0144] [0145] [0146] [0147] [0148] [0149] [0150] [0151] [0152] [0153] [0154] [0155] [0156] [0157] [0158] [0159] [0160] [0161] [0162] [0163] [0164] [0165] [0166] [0167] [0168] [0169] [0170] [0171] [0172] [0173] [0174] [0175] [0176] [0177] [0178] [0179] [0180] [0181] [0182] [0183] [0184] [0185] [0186] [0187] [0188] [0189] [0190] [0191] [0192] [0193] [0194] [0195] [0196] [0197] [0198] [0199] [0200] [0201] [0202] [0203] [0204] [0205] [0206] [0207] [0208] [0209] [0210] [0211] [0212] [0213] [0214] [0215] [0216] [0217] [0218] [0219] [0220] [0221] [0222] [0223] [0224] [0225] [0226] [0227] [0228] [0229] [0230] [0231] [0232] [0233] [0234] [0235] [0236] [0237] [0238] [0239] [0240] [0241] [0242] [0243] [0244] [0245] [0246] [0247] [0248] [0249] [0250] [0251] [0252] [0253] [0254] [0255] [0256] [0257] [0258] [0259] [0260] [0261] [0262] [0263] [0264] [0265] [0266] [0267] [0268] [0269] [0270] [0271] [0272] [0273] [0274] [0275] [0276] [0277] [0278] [0279] [0280] [0281] [0282] [0283] [0284] [0285] [0286] [0287] [0288] [0289] [0290] [0291] [0292] [0293] [0294] [0295] [0296] [0297] [0298] [0299] [0300] [0301] [0302] [0303] [0304] [0305] [0306] [0307] [0308] [0309] [0310] [0311] [0312] [0313] [0314] [0315] [0316] [0317] [0318] [0319] [0320] [0321] [0322] [0323] [0324] [0325] [0326] [0327] [0328] [0329] [0330] [0331] [0332] [0333] [0334] [0335] [0336] [0337] [0338] [0339] [0340] [0341] [0342] [0343] [0344] [0345] [0346] [0347] [0348] [0349] [0350] [0351] [0352] [0353] [0354] [0355] [0356] [0357] [0358] [0359] [0360] [0361] [0362] [0363] [0364] [0365] [0366] [0367] [0368] [0369] [0370] [0371] [0372] [0373] [0374] [0375] [0376] [0377] [0378] [0379] [0380] [0381] [0382] [0383] [0384] [0385] [0386] [0387] [0388] [0389] [0390] [0391] [0392] [0393] [0394] [0395] [0396] [0397] [0398] [0399] [0400] [0401] [0402] [0403] [0404] [0405] [0406] [0407] [0408] [0409] [0410] [0411] [0412] [0413] [0414] [0415] [0416] [0417] [0418] [0419] [0420] [0421] [0422] [0423] [0424] [0425] [0426] [0427] [0428] [0429] [0430] [0431] [0432] [0433] [0434] [0435] [0436] [0437] [0438] [0439] [0440] [0441] [0442] [0443] [0444] [0445] [0446] [0447] [0448] [0449] [0450] [0451] [0452] [0453] [0454] [0455] [0456] [0457] [0458] [0459] [0460] [0461] [0462] [0463] [0464] [0465] [0466] [0467] [0468] [0469] [0470] [0471] [0472] [0473] [0474] [0475] [0476] [0477] [0478] [0479] [0480] [0481] [0482] [0483] [0484] [0485] [0486] [0487] [0488] [0489] [0490] [0491] [0492] [0493] [0494] [0495] [0496] [0497] [0498] [0499] [0500] [0501] [0502] [0503] [0504] [0505] [0506] [0507] [0508] [0509] [0510] [0511] [0512] [0513] [0514] [0515] [0516] [0517] [0518] [0519] [0520] [0521] [0522] [0523] [0524] [0525] [0526] [0527] [0528] [0529] [0530] [0531] [0532] [0533]
<!DOCTYPE html> <!-- WASDOC AXP-2.0.0 (CGILIB AXP-1.9.9) --> <!-- wasDOC Copyright (C) 2019,2020 Mark G.Daniel - Apache-2.0 licenced --> <!-- 3-NOV-2021 02:50 --> <noscript>NOTE: SOME FUNCTIONALITY EMPLOYS JAVASCRIPT</noscript> <div id="erreport1" style="display:none;"></div> <script> function errorReport(string) { for (var cnt = 1; cnt <= 2; cnt++) { var err = document.getElementById('erreport'+cnt); err.style.display = 'block'; err.innerHTML += string; } } </script> <style type="text/css"> html { font-family: arial, verdana, sans-serif; font-size:12pt; margin:1em; } h1 { font-size:124%; font-style:bold; margin-top:1em; margin-bottom:0.5em; } h2 { font-size:120%; font-style:bold; margin-top:1.1em; margin-bottom:0.4em; } h3 { font-size:116%; font-style:bold; margin-top:1.0em; margin-bottom:0.3em; } h4 { font-size:112%; font-style:bold; margin-top:1.1em; margin-bottom:0.3em; } h5 { font-size:112%; font-style:bold; margin-top:1.1em; margin-bottom:0.3em; } h6 { font-size:112%; font-style:bold; padding:0; margin:0; } h1 .text { text-decoration:underline; } h1 .numb { padding-right:0.8em; } h1 .numb:empty { display:none; padding-right:0; } h2 .numb { padding-right:0.8em; } h2 .numb:empty { display:none; padding-right:0; } h3 .numb { padding-right:0.8em; } h3 .numb:empty { display:none; padding-right:0; } h4 .numb { padding-right:0.8em; } h4 .numb:empty { display:none; padding-right:0; } h5 .numb { display:none; padding-right:0; } h6 .numb { display:none; padding-right:0; } kbd { font-family:monospace; } noscript { font-size:1.2em; } p { line-height:1.1em; margin-top:1em; margin-bottom:1em; } .chunk { font-size:130%; text-decoration:underline; } .head {} .high {} .bold { font-weight:bold; } .center { text-align:center; } .italic { font-style:italic; } .left { text-align:left; } .nowrap { white-space:nowrap; } .prewrap { white-space:pre; } .right { text-align:right; } .strike { text-decoration:line-through; } .under { text-decoration:underline; } .backlight { background-color:#f2f2f2; } .display0 { display:none; } img { max-width:100%; } .imglink { } .link { } .blank { } .list { margin-bottom:1em; } .list li { margin-top:0.5em; } .list0 li { margin-top:0; } .item {} .tabl { border-collapse:collapse; text-align:left; margin:0.4em 2em 0.5em 2em; } .tabu { border-collapse:collapse; text-align:right; margin:0.4em 2em 0.5em 2em; } .tabr { vertical-align:top; } .tabh { padding:0.2em 0 0 2em; margin:0; } .tabd { padding:0.1em 0 0 2em; margin:0; } .tabh:first-of-type, td:first-of-type { padding-left:0; } .tabu .tabh, .tabu .tabd { border:1px solid gray; padding:0.2em 0.3em 0.2em 0.3em; } .tab0 { border:none; visibility:hidden; max-width:1em; white-space:nowrap; overflow:hidden; } .tabauto { margin-left:auto; margin-right:auto; } .tabr:empty { height:0.2em; } .tabu .tabh:empty, .tabu .tabd:empty { border:none; visibility:hidden; } .error { font-size:110%; color:black; background-color:yellow; font-family:sans-serif; font-weight:bold; font-style:normal; width:95%; border:solid 1px gray; padding:0.5em 1em 0.5em 1em; } .error::before { content:'\026a0\00a0'; } .image { } .page { width:98%; border:1px dashed gray; margin:1.5em 0 1.8em 0; } .epage { width:98%; border:1px dashed black; margin:1.5em 0 1.8em 0; } .monosp { font-family:monospace; } .ppage { display:none; } .simple { list-style-type:none; } .valtop { vertical-align:top; } .valmid { vertical-align:middle; } .valbot { vertical-align:bottom; } .code { border-style:solid; border-width:0 0 0 1px; padding-left:1em; font-family:monospace; white-space:pre; } .block { } .blockof { margin:0.4em 2em 0.5em 2em; } .example { border-style:dashed; border-width:0 0 0 1px; padding-left:1em; margin-top:0.5em; margin-bottom:0.5em; white-space:pre; } .indent { margin-left:2em; margin-right:2em; } .noindent { margin-left:0; margin-right:0; } .inblock { display:inline-block; } .mono { white-space:pre; font-family:monospace; } .note { margin:0.4em 2em 0.5em 2em; page-break-inside:avoid; } .note h5 { margin-top:0 } .note_hr { width:80%; border:1px solid gray; } .prop { padding-left:1em; margin-top:0.5em; margin-bottom:0.5em; } .quote { border-style:dashed; border-width:0 0 0 1px; padding-left:1em; margin-top:0.5em; margin-bottom:0.5em; } .this { display:none; } a:link,a:visited { color:black; text-decoration:none; } a:hover,a:active { text-decoration:underline; } a:focus { outline:0; } :target:before { content:''; display:block; height:0.1em; margin:-0.1em; } a.link:link, a.link:visited,a.link:active { color:midnightBlue; text-decoration:underline; text-decoration-style:solid; } .TOC1cols1 { width:80%; max-width:80%; } .TOC1cols2 { column-count:2; width:80%; max-width:80%; } .TOC1cols3 { column-count:3; max-width:90%; max-width:90%; } .TOC1cols4 { column-count:4; max-width:100%; max-width:100%; } .TOC1table { margin-left:2em; white-space:nowrap; break-inside:auto; } .TOC1table tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; } .TOC1table td+td { padding:0 0 0 0.5em; } .TOC1table .numb { width:3em; max-width:3em; } .TOC1table .sepr { width:5em; max-width:6em; overflow:hidden; } .TOC1table .majr { font-weight:bold; } .TOC1table .text { white-space:normal; } /* These are due to Firefox (at least <= 76) recalcitrant multi-column handling. Web search "Split table into css columns, issue in Firefox" (stackoverflow). "Good grief, Charlie Brown!" */ .TOC1cols2 table, .TOC1cols2 tbody, .TOC1cols2 tr, .TOC1cols3 table, .TOC1cols3 tbody, .TOC1cols3 tr, .TOC1cols4 table, .TOC1cols4 tbody, .TOC1cols4 tr { display:block; padding:0; } .TOC2cols1 { width:60%; max-width:60%; } .TOC2cols2 { column-count:2; width:70%; max-width:70%; } .TOC2cols3 { column-count:3; width:80%; max-width:80%; } .TOC2cols4 { column-count:4; width:90%; max-width:90%; } .TOC2table { margin-left:2em; white-space:nowrap; break-inside:auto; } .TOC2table tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; } .TOC2table .numb { font-weight:bold; padding-right:0.5em; } .TOC2table .text { width:100%; white-space:normal; } /* see "recalcitrant" above */ .TOC2cols2 table, .TOC2cols2 tbody, .TOC2cols2 tr, .TOC2cols3 table, .TOC2cols3 tbody, .TOC2cols3 tr, .TOC2cols4 table, .TOC2cols4 tbody, .TOC2cols4 tr { display:block; padding:0; } .NAVtable { margin:0.1em 0 0 2em; } .NAVtable td { font-size:110%; font-weight:bold; padding:0; margin:0; } .NAVtable a { padding:0 0.5em 0 0.5em; text-decoration:none; } .IDXcols1 { width:80%; max-width:80%; } .IDXcols2 { column-count:2; width:90%; max-width:90%; } .IDXcols3 { column-count:3; width:95%; max-width:95%; } .IDXcols4 { column-count:4; width:100%; max-width:100%; } .IDXtable { margin:1em 0 1em 2em; white-space:nowrap; break-inside:auto; } .IDXtable tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; } .IDXtable .alpha { font-weight:bold; min-width:2em; } .IDXtable .text { width:100%; white-space:normal; } .IDXtable .para:before { content:'\00b6\00a0'; } /* see "recalcitrant" above */ .IDXcols2 table, .IDXcols2 tbody, .IDXcols2 tr, .IDXcols3 table, .IDXcols3 tbody, .IDXcols3 tr, .IDXcols4 table, .IDXcols4 tbody, .IDXcols4 tr { display:block; padding:0; } .insight { background-color:cyan; font-family:monospace; padding:0 0.2em 0 0.2em; margin:0 0.2em 0 0.2em; font-size:100%; font-style:normal; font-weight:normal; text-decoration:none; } .wasdoc { font-family: "Lucida Console", Monaco, monospace; letter-spacing:-0.07em; } @media screen { .blank::after { content:"\2924"; } .print { display:none; } } @media print { table { page-break-inside:avoid; } .noprint { display:none; } .page { border:none; page-break-after: always; } .epage { display:none; } .ppage { page-break-after:always; } .NAVtable { display:none; } .NAVprint { display:block!important; } } @page { margin:2cm 1cm 2cm 1cm; } </style> <!-- source:0000_config.wasdoc --> <style type="text/css">._smiley::after { font-size:150%; vertical-align:middle; content:'\263a' }</style> <style type="text/css">._frowny::after { font-size:150%; vertical-align:middle; content:'\2639' }</style> <a id="0." href="#"></a> <title>WASD Configuration – Authorization Configuration (Basics)</title> <a id="11." href="#"></a> <a id="11.authorizationconfigurationbasics" href="#"></a> <a id="authorizationconfigurationbasics" href="#"></a> <h1 class="head chunk">WASD Configuration</h1> <h1 class="head"><span class="numb">11.</span><span class="text">Authorization Configuration (Basics)</span></h1> <table class="TOC2table"> <tr><td><a href="config011.html#11.1.sysuafidentifierauthentication"><span class="numb">11.1</span><span class="text">SYSUAF/Identifier Authentication</span></a> <tr><td><a href="config011.html#11.2.otherauthentication"><span class="numb">11.2</span><span class="text">Other Authentication</span></a> <tr><td><a href="config011.html#11.3.readandwritegroupings"><span class="numb">11.3</span><span class="text">Read and Write Groupings</span></a> <tr><td><a href="config011.html#11.4.considerations"><span class="numb">11.4</span><span class="text">Considerations</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="config010.html#10.">↖︎</a> <td><a href="config000.html#0.">↑︎</a> <td><a href="config012.html#12.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> WASD offers a comprehensive and versatile authentication and authorization environment. A little too comprehensive, often leaving the new administrator wondering where to begin. The role of this chapter is to provide a starting place, especially for sources of authentication, along with some basic configurations. <a class="link blank" target="_blank" href="../features/#authenticationandauthorization">Authentication and Authorization</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a> contains a detailed explanation of all aspects. All examples here assume a standard installation and environment. <p> Just to clarify. <span class="high bold">Authentication</span> is the verification of a user's identity, usually through username/password credentials. <span class="high bold">Authorization</span> is allowing a certain action to be applied to a particular path based on that identity. <p> Changes to the authorization configuration file can be validated at the command-line before reload or restart. This detects and reports any syntactical and configuration errors but of course cannot check the <span class="high italic">intent</span> of the rules. <div class="blockof code">$ HTTPD /DO=AUTH=CHECK </div> <p> If additional server startup qualifiers are required to enable specific authorization features then these must also be provided when checking. For example: <div class="blockof code">$ HTTPD /DO=AUTH=CHECK /SYSUAF /PROFILE </div> <p> A server's currently loaded authorization rules may also be interrogated from the Server Administration menu (see <a class="link blank" target="_blank" href="../features/#serveradministration">Server Administration</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). <a id="11.1" href="#"></a> <a id="11.1.sysuafidentifierauthentication" href="#"></a> <a id="sysuafidentifierauthentication" href="#"></a> <h2 class="head"><span class="numb">11.1</span><span class="text">SYSUAF/Identifier Authentication</span></h2> <p> This setup allows any active account to authenticate using the local VMS username and password. By default not every account may authenticate this way, only those holding specified VMS rights identifiers. The examples provided in this section allows access to the WASD online Server Administration facility, and so may be followed specifically for that purpose, as well as serve as a general guide. <ul class="list"> <li class="item"> Define the following logical before calling the server startup procedure. To make such a definition permanent add it to the system or Web environment startup procedures. This logical contains a startup qualifier that configures the server to allow authentication from the SYSUAF, using VMS rights identifiers (<a class="link blank" target="_blank" href="../features/#authenticationpolicy">Authentication Policy</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). <div class="blockof code">$ DEFINE /SYSTEM WASD_STARTUP_SERVER "/SYSUAF=ID" $ @<span class="high italic">device</span>:[WASD_ROOT.LOCAL]STARTUP.COM </div> After a change to a command-line qualifier of the server such as the above it needs to be restarted using the following directive. <div class="blockof code">$ HTTPD/DO=RESTART </div> <li class="item"> Decide on an identifier name. This can be an existing identifier, or one created for the purpose. For this example the identifier will be "WASD_WEBADMIN". Any identifier can be created using actions similar to the following example. <div class="blockof code">$ SET DEFAULT SYS$SYSTEM $ MCR AUTHORIZE UAF> ADD /IDENTIFIER WASD_WEBADMIN </div> <li class="item"> Modify the authorization configuration file, accessed by the server using the system logical WASD_CONFIG_AUTH, to contain the following. This allows full access to the online Server Administration facility and [.LOCAL] directory (and no world access). Additional paths may be added as required, and of course multiple identifiers may be created and used for multiple realms and paths. <div class="blockof code">["Web Admin"=WASD_WEBADMIN=id] /httpd/-/admin/* r+w /wasd_root/local/* r+w </div> <li class="item"> The identifier must then be granted to those accounts allowed to authenticate in this way. <div class="blockof code">$ SET DEFAULT SYS$SYSTEM $ MCR AUTHORIZE UAF> GRANT /IDENTIFIER WASD_WEBADMIN SYSTEM </div> <li class="item"> Using this approach useful discrimination may be exercised. For instance, one identifier for Web administrators, another (or others) for different authentication requirements. <div class="blockof code">["Web Admin"=WASD_WEBADMIN=id] /wasd_root/local/* r+w /httpd/-/admin/* r+w ["Area Access"=<span class="high italic">area-identifier-name</span>=id] /web/area/* r+w ; r </div> <p> Of course the one account may hold multiple identifiers and so may have access to various areas. <div class="blockof code">UAF> GRANT /IDENTIFIER WASD_WEBADMIN SYSTEM UAF> GRANT /IDENTIFIER <span class="high italic">area-identifier-name</span> SYSTEM </div> <p> Using VMS rights identifiers allows significant granularity in providing access. </ul> <a id="11.1.0.0.1" href="#"></a> <a id="11.1.afterchanges" href="#"></a> <a id="afterchanges" href="#"></a> <h5 class="head"><span class="text">After Changes</span></h5> <p> If the WASD_CONFIG_AUTH configuration file is changed, or rights identifiers are granted or revoked from accounts, the server should be directed to reload the file and purge any cached authorization information. <div class="blockof code">$ HTTPD/DO=AUTH=LOAD $ HTTPD/DO=AUTH=PURGE </div> <a id="11.2" href="#"></a> <a id="11.2.otherauthentication" href="#"></a> <a id="otherauthentication" href="#"></a> <h2 class="head"><span class="numb">11.2</span><span class="text">Other Authentication</span></h2> <p> Other sources of authentication are available, either by themselves or used in the same configuration file (different realms and paths) as those already discussed (<a class="link blank" target="_blank" href="../features/#authenticationsources">Authentication Sources</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). Non-SYSUAF sources do not require any startup qualifier to be enabled. <ul class="list"> <li class="item"> <span class="high bold">ACME</span> DOIs (Authentication and Credential Management Extension, Domains of Interpretation) may be used to authenticate requests. <div class="blockof code">["Whatever you want to call it!"=<span class="high italic">doi</span>=ACME] /web/area/* r+w </div> <li class="item"> <span class="high bold">Simple lists</span> contain usernames and unencrypted passwords. These are plain-text files, created and modified using any desired editor. <div class="blockof code">["Whatever you want to call it!"=<span class="high italic">list-name</span>=list] /web/area/* r+w </div> <p> This is a <span class="high under">very</span> simple arrangement, with little inherent security. Lists are more useful when grouping names together for specifying which group may do what to where. <li class="item"> <span class="high bold">HTA databases</span> are WASD-specific, binary repositories of usernames, encrypted passwords, capabilities, user and other detail. <div class="blockof code">["Whatever you want to call it!"=<span class="high italic">HTA-database-name</span>=HTA] /web/area/* r+w </div> <p> These databases may be administered using the online Server Administration facility (<a class="link blank" target="_blank" href="../features/#httpdserverrevise">HTTPd Server Revise</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). or the HTAdmin command-line utility (<a class="link blank" target="_blank" href="../features/#htadmin">HTAdmin</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). are quite secure and versatile. <li class="item"> <span class="high bold">External agents</span> are authentication and authorization scripts executed on demand, under the control-of but external to the server. It is possible for a site to write its own, custom authorization agent. <div class="blockof code">["Whatever you want to call it!"=<span class="high italic">agent-name</span>=agent] /web/area/* r+w </div> Two variations on a versatile LDAP authenticator and a CEL-compatible authenticator, along with example code is available in the <a class="link blank" target="_blank" href="/wasd_root/src/agent/"">WASD_ROOT:[SRC.AGENT]</a> directory. <li class="item"> <span class="high bold">X.509</span> establishes identity based on Public Key Infrastructure (PKI) authentication certificates. This is only available for SSL transactions. <div class="blockof code">[X509] /web/area/* r+w </div> <li class="item"> <span class="high bold">RFC1413</span> IETF document describes an identification protocol that can be used as a form of <span class="high italic">authentication</span> within this realm. <div class="blockof code">["Whatever you want to call it!"=RFC1413;A_PROJECT=list] /web/area/* r+w ; r </div> </ul> <a id="11.3" href="#"></a> <a id="11.3.readandwritegroupings" href="#"></a> <a id="readandwritegroupings" href="#"></a> <h2 class="head"><span class="numb">11.3</span><span class="text">Read and Write Groupings</span></h2> <p> WASD allows separate sources for groups of usernames to control read and write access in a particular realm (<a class="link blank" target="_blank" href="../features/#realmfullaccessreadonly">Realm, Full-Access, Read-Only</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). <p> These groups may be provided via simple lists, VMS identifiers, HTA databases and authorization agents. The following example shows an identifier authenticated realm with full and read-only access controlled by two simple lists. For the first path the world has no access, for the second read-only access (with the read-only grouping becoming basically redundant information). <div class="blockof code">["Realm Name"=<span class="high italic">identifier_name</span>=id;<span class="high italic">full_access_name</span>=list;<span class="high italic">read-only_name</span>=list] /web/area/* r+w ; /web/another-area/* r+w ; r </div> <a id="11.4" href="#"></a> <a id="11.4.considerations" href="#"></a> <a id="considerations" href="#"></a> <h2 class="head"><span class="numb">11.4</span><span class="text">Considerations</span></h2> <p> Multiple authentication sources (realms) may be configured in the one WASD_CONFIG_AUTH file. <p> Multiple paths may be mapped against a single authentication source. <p> Any path may be mapped only once (for any single virtual service). <p> Paths may have additional access restrictions placed on them, including client host name, username, etc. (<a class="link blank" target="_blank" href="../features/#accessrestrictionkeywords">Access Restriction Keywords</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). <p> The configuration file is loaded and stored by the server at startup. If changed it must be reloaded to take effect. This can be done manually using <div class="blockof code">$ HTTPD/DO=AUTH=LOAD </div> <p> Authentication information is cached. Access subsequently removed or modified will not take effect until the entry expires, or is manually purged using <div class="blockof code">$ HTTPD/DO=AUTH=PURGE </div> <p> Failed attempts to authenticate against a particular source are limited. When this is exceeded access is always denied. If this has happened the cache must be manually purged before a user can successfully authenticate <div class="blockof code">$ HTTPD/DO=AUTH=PURGE </div> <!-- source:1400_INDEX.WASDOC --> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="config010.html#10.">↖︎</a> <td><a href="config000.html#0.">↑︎</a> <td><a href="config012.html#12.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table>