|
Apache HTTP Server Version 1.3
Authentication, Authorization, and Access Control
Authentication, Authorization, and Access Control
Apache has three distinct ways of dealing with the question of whether a particular request
for a resource will result in that resource actually be returned. These criteria are called Authorization,
Authentication, and Access control.
Authentication is any process by which you verify that someone is who they claim they are.
This usually involves a username and a password, but can include any other method of
demonstrating identity, such as a smart card, retina scan, voice recognition, or fingerprints.
Authentication is equivalent to showing your drivers license at the ticket counter at the
airport.
Authorization is finding out if the person, once identified, is permitted to have the
resource. This is usually determined by finding out if that person is a part of a particular
group, if that person has paid admission, or has a particular level of security clearance.
Authorization is equivalent to checking the guest list at an exclusive party, or checking for
your ticket when you go to the opera.
Finally, access control is a much more general way of talking about controlling access to a
web resource. Access can be granted or denied based on a wide variety of criteria, such as the
network address of the client, the time of day, the phase of the moon, or the browser which
the visitor is using. Access control is analogous to locking the gate at closing time, or only
letting people onto the ride who are more than 48 inches tall - it's controlling entrance by
some arbitrary condition which may or may not have anything to do with the attributes of the
particular visitor.
Because these three techniques are so closely related in most real applications, it is
difficult to talk about them separate from one another. In particular, authentication and
authorization are, in most actual implementations, inextricable.
If you have information on your web site that is sensitive, or intended for only a small
group of people, the techniques in this tutorial will help you make sure that the people that
see those pages are the people that you wanted to see them.
The various authentication modules provide a number of ways to restrict access to your host
based on the identity of the user. They offer a somewhat standard interface to this
functionality, but provide different back-end mechanisms for actually authenticating the user.
And the access control mechanism allows you to restrict access based on criteria unrelated
to the identity of the user.
Footnotes
- ... value.1
- There are actually a number of implementations that get around this limitation. MLDBM is
one of them, for example. However, for the purposes of this discussion, we'll just deal
with standard Berkeley DB, which is likely to have shipped with whatever operating system
you are already running.
- ... file2
- Or, if you are using mod_auth_dbm, a DBM file.
|
