Securing Your Web Pages with Apache Page 4
If the client gets a 'not authorised' status in response to a request that included credentials, it typically responds a little differently: it will probably tell the user 'those credentials weren't accepted, want to try again?' It didn't say that the first time because it hadn't sent any.
In either case, if the end-user opts to not fill in the dialogue and presses 'cancel,' the client typically just displays the error page that the server sent along with the 'not authorised' status, and goes back to waiting for instructions.
Apache Security Processing Phases
The preceding sections have been subtly leading up to this topic. Apache handles all requests by running them through phases. Each Apache module has an opportunity to deal with the request during each of the phases, though most modules only do so for one or possibly two of them.
Apache has three processing phases relating to security checking. They occur in the following order, and are given the following names:
access_checker-- This phase is where mandatory access checks are applied, such as
mod_access' check for whether the client's IP address is allowed to access the document or not
check_user_id-- This is the authentication phase, during which a DAC module such as
mod_authchecks the user credentials to see if they're even in the database it's been told to use
auth_checker-- This is the phase during which authorisation occurs; modules like
mod_authcheck to see if the user (who has already been authenticated) is allowed to access the document
Modules that impose discretionary access checks usually participate in the latter two phases.
Basic Authentication versus
How does the username and password get transmitted across the network? Well, in early 2000 the answer is: not very well. It's not that there are technical problems with the transmission; rather, the issues are more philosphical.
There are currently two main methods of passing credentials, called Basic authentication and Digest authentication. The Digest method is considerably more secure, but unfortunately less widely deployed -- so most authentication on the Web is done using the less-secure Basic mechanism.
Basic authentication involves simply base64-encoding the username and password and transmitting the result to the server. This means that anyone who can intercept the transmission can determine the username and password. Of course, this is only useful if those values are valid and end up getting successfully authenticated. <grin> Digest authentication transmits the information in a manner that cannot be so easily decoded.
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...