vqServer Special security features


vqServer provides a built-in alternative to the HTTP basic authentication scheme which provides a number of extra features that would otherwise require complex additional programs:

  • Self-registration: You can allow visitors to your web site to add themselves to your vqServer user database. This means that you can easily require people to register for access to pages or files on your web site.
  • Custom login pages: You can provide custom login pages to restrict access to pages or files on you web site. Custom login pages can be far more user-friendly than the default password dialog displayed by web browsers. You can also specify a failed login page to be displayed when an an attempt to login using a custom login page fails.
  • Self-password change: You can allow users to change their passwords without the intervention of the administrator and without having access to the control centre.
  • Logout: You can provide a logout link on your web pages. This stops people circumventing vqServer's access controls by using the same computer and browser as a registered user.

Notes:

  • To understand how to use these features, you should read the aliases and security pages of this documentation.
  • These features use cookies. Your registration and custom login pages should probably include a warning about this.
vqServer
FAQs
Register (free!)
Support

Contents

System settings
Uploading

Self-registration

You can allow visitors to your web site to add themselves to your vqServer user database. This means that you can easily require people to register for access to pages or files on your web site.

There are five components to the vqServer self-registration feature:

  • A file or directory to which access is restricted. Its access control list must have Allow self-registration enabled. The sample web site distributed with vqServer contains the directory website/registered/ whose alias is registered. Access to this directory is restricted to members of the All registered users access control list.
  • A page to be displayed after successful registration. You'll usually want this to include an index to the files and services for which registration is required. An example page, website/registered/index.html, is included in the sample web site distributed with vqServer.
  • The remote registration servlet, vq.server.UserReg. This is included in vqServer's classes.zip file and is called using the alias /servlet/vq.server. in vqServer's default configuration. This servlet is invoked by the registration form.
  • A registration form. A sample form is included on the page website/public/register.html provided with vqServer. You may want to include this form on the same page as a custom login form for persons who are already registered. Access to the page containing the registration form should not be restricted.
  • A link pointing to a page which contains a registration form. The sample home page provided with vqServer includes a link labelled User registration.

Notes:

  • The self-registration feature works best if a custom login page is specified for the access control list used. If not, users will have to enter their ID and password in their browsers' password dialog box soon after registering.

The user registration form:

  • must use the POST method.
  • must specify an alias which maps to the vq.server.UserReg servlet in its action attribute.
  • must contain the following fields:
    • acl: the ID of the access control list that persons who register will be added to. The ID of access control lists is displayed in the left-hand column on the access control lists page and is usually something like acl123. This should be a hidden field.
    • entrypage: the alias of the page which will be displayed following successful registration. This should be something like /registered/index.html. This should be a hidden field.
    • id: the ID the person will use in the future to identify themselves to vqServer. This should be an edit field.
    • pwd1: the password the person will use in the future to identify themselves to vqServer. This should be a password field.
    • pwd2: the same as pwd1.
  • may contain the following optional fields which are added to the user's entry in vqServer' user database after successful registration. These optional fields may be used to collect information about the user at the time of registration.
    • name
    • email
    • address
    • notes
vqServer
Contents
Special security

System settings
Uploading

Custom login pages

You can provide custom login pages to restrict access to pages or files on your web site. A custom login page is displayed automatically when a visitor to your web site requests a protected page. If a visitor enters an acceptable ID and password the protected page is displayed automatically.

Custom login pages can be far more user-friendly than the default password dialog displayed by web browsers and can include a self-registration form.

There are five components to the vqServer custom login page feature:

  • A file or directory to which access is restricted. The sample web site distributed with vqServer contains the directory website/registered whose alias is registered. Access to this directory is restricted to members of the All registered users access control list.
  • The login servlet, vq.server.UserLogin. This is included in vqServer's classes.zip file and is called using the alias /servlet/vq.server. in vqServer's default configuration. This servlet is invoked by the login form.
  • A login form. A sample form is included on the page website/public/login.html in the web site provided with vqServer. The alias of this page must be specified in the settings form of the access control list which restricts access to the protected file or directory.
  • An optional failed login page, which is displayed when an attempt to login using the login form fails. A failed login page might include an error message and a login form so that the user can try again. If a failed login page is not specified a default message is displayed. A sample failed login page, website/public/failedlogin.html, is included in the website provided with vqServer.
  • A link to the protected file. The sample home page distributed with vqServer includes a link labelled Registered users.

Login forms:

  • must use the POST method.
  • must specify an alias which maps to the vq.server.UserLogin servlet in its action attribute.
  • must contain the following data entry fields:
    • id: the user's ID. This should be an edit field.
    • pwd: the user's password. This should be a password field.
  • may contain the following optional fields which should be hidden fields:
    • acl: the ID of a vqServer ACL, as displayed in the left-hand column on the access control lists page of the vqServer control centre. If this field is present, the login fails if the user who is trying to log in is not a member of the ACL, even if the user ID and password are correct.
    • fail: the alias of a failed login page to be displayed if an attempted login is unsuccessful.
vqServer
Contents
Special security

System settings
Uploading

Self-password change

You can allow users to change their passwords without the intervention of the administrator and without having access to the control centre.

There are three components to the vqServer self-password change feature:

  • The password change servlet, vq.server.UserPwd. This is included in vqServer's classes.zip file and is called using the alias /servlet/vq.server.UserPwd in vqServer's default configuration. Access to this servlet must be restricted by an appropriate access control list; otherwise it will not work.
  • A password change form. A sample form is included on the page website/registered/password.html included in the sample web site provided with vqServer. This form calls the password change servlet.
  • A link (or links) to a self-password change page. These links should only be included on pages to which access is restricted. The page website/registered/index.html contains a link labelled Change password.

The password change form:

  • must use the POST method.
  • must specify an alias which maps to the vq.server.UserPwd servlet in its action attribute.
  • must contain the following fields:
    • pwd1: the password the person will use in the future to identify themselves to vqServer. This should be a password field.
    • pwd2: the same as pwd1.
  • may contain the following optional fields (these should be hidden fields):
    • okpage: the alias of a page which will be displayed following a successful password change.
    • errorpage: the alias of a page which will be displayed if the data entered in the password change form is incorrect (for example if no password is entered or if the passwords entered are not identical).
vqServer
Contents
Special security

System settings
Uploading

Logout

You can provide a logout link on your web pages. This stops people circumventing vqServer's access controls by using the same computer and browser as a registered user. The logout feature only works if you have used a custom login page.

There are two components to vqServer's logout feature:

  • An exit page which will be displayed once the user is logged out. The sample web site included with vqServer includes the page website/public/thankyou.html.
  • The logout servlet, vq.server.UserLogout. This is included in vqServer's classes.zip file and is called using the alias /servlet/vq.server. in vqServer's default configuration. Access to the logout servlet need not be restricted.
  • A link (or links) which invokes the logout feature. These links should only be included on pages to which access is restricted. The page website/registered/index.html in the sample web site provided with vqServer includes a link labelled Logout. The HTML code for this link should look like
    <A HREF = "/servlet/vq.server.UserLogout?exitpage=/exitpage.html" > Logout </A>

    where /servlet/vq.server.UserLogout is the alias which invokes the logout servlet and /exitpage.html is the alias of the page which will be displayed after the user logs out.


vqServer version 1.9. Copyright © 1997-2000 Steve Shering and vqSoft. Last updated 26 May 2000.

vqServer
Contents
Special security

System settings
Uploading