Help - Authentication Settings
 

Config:/Security/Resource/*/Authenticate/
Config:/Security/Template/*/Authenticate/
SettingExplanationDefault /
Example
Data
Type
Access
R,W,A,D
Realm This is the name of the user database realm to use when authenticating a user. If this field is empty, then no authentication lookup is performed and the user name cannot be verified - it is simply accepted as-is.

The name of the realm is transmitted back to the client's browser to request a specific user name and password. Once the client has established the user name and password to use, subsequent requests for authentication of resources within the same realm can be satisfied without re-asking the user on the client machine.

For FTP connections, the login realm may be different to the resource realm, in which case you must ensure that all valid users are present in both realms, otherwise a user may log in but not have access to resources, or vice versa.

default TextR,W
Type The type of user authentication desired. Can be one of:
  • None
  • Basic

Choose "None" to disable authentication - whatever the client sends (if anything) will be accepted as a valid user name. This can be useful when SSLAuthenticateClient and SSLGetClientName are both set to "yes", meaning that the user name found in the certificate is accepted as-is without any lookup within a local user database realm.
None TextR,W
SSLRequired Whether SSL (Secure Sockets Layer) connections should be used to access this resource. May be one of:
  • No
  • Optional
  • Version 2 or later
  • Version 3 or later

If you specify "no", then clients are forced to view the resource with a non-secure HTTP link. If you specify "Version 2" or "Version 3" then clients are forced to use a secure HTTPS link.

For secure environments where you have control over the client browser, we strongly recommend you use the setting "Version 3 or later" because of the security flaws in SSL Version 2.

If you select "Optional" then clients can view the resource with either a secure or a non-secure browser, using either an HTTP or an HTTPS link.

Optional IntegerR,W
SSLAuthenticateClient If you select "Yes", then the server will request an authentication certificate from the client and will check it for validity. This will only occur with SSL Version 3 or later connections.

Only clients presenting a cryptographically correct certificate and whose Certification Authority is listed in your Certificate List will be allowed access. All other clients will see an "Access Denied" or "Forbidden" reply (the exact wording will depend upon the client's choice of browser).

No IntegerR,W
SSLGetClientName If you select "Yes", then the server will take the client's user name directly from the client's certificate's Common Name field, with all spaces changed to underbars. The password will be set to empty.

If you enable this feature, you MUST have switched on SSLRequired and SSLAuthenticateClient for this resource.

With this feature, your client will not be prompted for a user name and password, instead this will be supplied automatically by the client's browser. To take advantage of this, we suggest you collect all such users into a specified group and give them all no passwords. Alternatively if you don't want to manage groups, but you are willing to accept all clients with certificates signed by a specified Certification Authority, you should set the "Type" setting to "None".

The implication of this is that you are relying on the client's browser performing access control over the client's private certificates. Most browsers will prompt the client for a password before transmitting their certificate, thereby reducing the risk of impersonation if a client's software and data files are stolen.

Yes IntegerR,W
SSLClientCA Allows you to specify a Certificate Authority whose certificates you will accept as valid when clients access this resource. If a client presents a certificate signed by another Certificate Authority, that client will be denied access.

To accept a certificate signed by any of the Certificate Authorities listed in your Certificate List, leave this setting empty.

TextR,W