Oracle B12255-01 Manual Do Utilizador
Authentication and Authorization Enforcement
Managing Security
8-9
User Authentication and Authorization
Basic authentication prompts for a user name and password before serving an
HTTP request. When a browser requests a page from a protected area, Oracle HTTP
Server responds with an unauthorized message (status code 401) containing a
WWW-Authenticate:
HTTP request. When a browser requests a page from a protected area, Oracle HTTP
Server responds with an unauthorized message (status code 401) containing a
WWW-Authenticate:
header and the name of the realm configured by the
configuration directive, AuthName. When the browser receives this response, it
prompts for a user name and password. After the user enters a user name and
password combination, the browser sends this information back to the server in an
Authorization header. In the authorization header message, the user name and
password are encoded as a base 64 encoded string.
prompts for a user name and password. After the user enters a user name and
password combination, the browser sends this information back to the server in an
Authorization header. In the authorization header message, the user name and
password are encoded as a base 64 encoded string.
User authorization involves checking the authenticated user against an access
control list that is associated with a specific server resource such as a file or
directory. To configure user authorization, place the require directive in the
httpd.conf
control list that is associated with a specific server resource such as a file or
directory. To configure user authorization, place the require directive in the
httpd.conf
file, usually within a virtual host container. User authorization is
commonly used in combination with user authentication. After the server has
authenticated a user’s user name and password, then the server compares the user
to an access control list associated with the requested server resource. If Oracle
HTTP Server finds the user or the user’s group on the list, then the resource is made
available to that user.
authenticated a user’s user name and password, then the server compares the user
to an access control list associated with the requested server resource. If Oracle
HTTP Server finds the user or the user’s group on the list, then the resource is made
available to that user.
Using mod_auth to Authenticate Users
User authentication is based on user names and passwords that are checked against
a list of known users and passwords. These user name and password pairs may be
stored in a variety of forms, such as a text file, database, or directory service. Then
configuration directives are used in httpd.conf to configure this type of user
authentication on the server. mod_auth uses the AuthUserFile directive to set up
basic authentication. It supports only files.
a list of known users and passwords. These user name and password pairs may be
stored in a variety of forms, such as a text file, database, or directory service. Then
configuration directives are used in httpd.conf to configure this type of user
authentication on the server. mod_auth uses the AuthUserFile directive to set up
basic authentication. It supports only files.
Any authentication scheme that you devise requires that you use a combination of
the configuration directives listed in
the configuration directives listed in
Table 8–1
Directives Descriptions
Directive Name
Description
AuthName
Defines the name of the realm in which the user names and
passwords are valid. Use quotation marks if the name includes
spaces.
passwords are valid. Use quotation marks if the name includes
spaces.
AuthType
Specifies the authentication type. Most authentication modules use
basic authentication, which transmits user names and passwords in
clear text. This is not recommended.
basic authentication, which transmits user names and passwords in
clear text. This is not recommended.