<P>Client Authentication is the name of the standard password system for WWW servers. It allows you to restrict the accesses to your WWW server for the purpose of keeping down its use or protecting sensitive or private data.</P>
<P>Clients who can supply a valid username and password (henceforth referred to as 'credentials') for the protected 'realm' (directory on the server) are allowed to retrieve pages from within that realm. Clients who cannot submit valid credentials are rejected and presented with an 'Unauthorized' screen.</P>
<P>What will typically happen is that the client will try to access one of the server's pages, the server will fault the request and inform the client that it needs some credentials before continuing. The client will then request from the user, perhaps via a dialogue box, a username and password which will be used from then on as identification when accessing the server. The client will present these credentials to the server, which the server will check and either accept and serve the page, or reject.</P>
<P>Netplex supports Basic Authentication which is the standard authentication method. However, Basic Authentication is not a truly secure method of transfer - the credentials are not securely encoded and the entity body is not encoded at all - you shouldn't use it for the transfer of sensitive data (e.g. Credit Card details) if you do not believe your network to be secure.</P>
<A NAME="enabling"><H2>Enabling</H2></A>
<P>To enable Client Authentication for your server, you must first decide which directories you want protected and then create a suitable Configuration file. As an example, consider the following partial representation of a directory structure :</P>
<P>The directories outlined in red are the ones we want to protect - they contain information for members of staff only. The Staff directory nearest the top of the diagram is to be made available to all staff, whereas the one nearest the bottom is for Maths staff only.</P>
<A NAME="cfg-realms"></A>
<P>To protect these directories we must create a Configuration file called 'Realms' and put this in the top-level web page directory. This file defines which directories are realms, their realm names and how they are protected. For our example it would be as follows :</P>
<PRE><P>
# Realms file for St. Frobnitz' School WWW Server
#
Realms
/staff:Staff:StaffAuth
/subjects/maths/staff:Maths staff:MathsAuth
</P></PRE>
<P>The lines beginning with '#' are comments. The first non-comment line, 'Realms', specifies that this configuration file defines realm properties. Looking at the next line you can see that there are three elements, separated by ':'. The first element '/staff' defines the directory which is to be protected, this is specified in the same format as it would be in a URL. The next element 'Staff' defines the name of the realm, which is used by the client to differentiate realms. The last element 'StaffAuth' is the filename of the <I>Authorisation file</I> which holds the credentials for that realm. The filename is given relative to the root directory, so an auth file called 'German' in a directory called 'AuthFiles' would be specified as 'AuthFiles.German'.</P>
<A NAME="cfg-auth"></A>
<P>Authorisation files are the files that hold the authorised users' credentials - they contain a list of username:password pairs listing the users that are authorised to use the respective realm. The following is an example Authorisation file :</P>
<PRE><P>
# Example Authorisation file
#
# The format is <username>:<password>
#
Authorisation
dthomas:chips
pjones:soss
jkelly:egg
jsmith:rat
</P></PRE>
<P>The lines beginning with '#' are comments. The first non-comment line identifies the file as an Authorisation file and the remaining lines are of the format 'username:password'.</P>
<P>Once a Realm file and its associated Authorisation files have been placed in the root web page directory, you must restart Netplex. After Netplex is back up and running, any connection attempts will be subject to the applicable authorisation controls.</P>
<A NAME="notes"><H2>Notes</H2></A>
<UL>
<LI>Client Authentication incurs a speed pentalty, as Netplex must perform matches against URLs requested and do searches through the appropriate Authorisation files. However, in real use, this penalty is only just perceptible. A rough guide to the speed of authentication is that when using a 4400-user file, it takes about a second to authenticate a user (on a Risc PC 600).
<LI>'/' is a valid specifier if you wish to treat the whole server as a single realm.
<LI>A maximum of four realms can be defined (contact me if you need more).
<LI>Example Realms and Authorise files are provided in the !Netplex.!Help.HTML.auth directory. They are configured to protect the cgi-bin directory.
