IGNITe/400 Mailing List Archive Entry
Bleddyn,

I have made extensive use of GROUP authentication using I/Net's Commerce
Server/400. I have several classes of user and corresponding directories
containing data that they are authorized to access.

The most complex structure belongs to our employees who first belong to the
"EMPLOYEE" group as opposed to our Insurance Agents (AGENTS) or
Policyholders (INSURED). Each employee has a user entry in the server's
authentication file. There is then an entry in the GROUP file.

To make the process more complex, employee's all have access to a general
employee information area which contains items of interest to all employees
within the company. Then depending upon who you are, you may have access to
one or more "functional areas" of the company such as Underwriting,
Marketing, Claims, IS, etc.

To facilitate access controls, we first add the user to our server
authentication user file and the "employee" group. We then decide what
"functional areas" we wish them to access and add group entries to the group
table for those.

To illustrate:

User File (HTTP Validation list?)

bobc some_md5_encrypted_password

Group File (HTTP ???? equivelent)

bobc employee
bobc marketing
bobc infosys

Our Directory structure on the server looks something like:

/webserver
/webdocs <-- server root
/private <-- any valid user
/employee <-- allow group employee
/marketing <-- allow group marketing
/infosys <-- allow group infosys
/underwriting <-- allow group underwriting
/claims <-- allow group claims
/... <-- allow group ...

We then alias the pages so that

/employee becomes /private/employee
/marketing becomes /private/employee/marketing
...

Net.Data macros have libraries and macro directories corresponding to the
groups and alias's are used to restrict access to macros written in support
of the group.
HTML and images are stored in the group directories.

This all works remarkably well and has a self-administration function that
allows managers to authorize their employees access to whatever is required.

I've read IBM's HTTP Server documentation and quite frankly don't have a
clue a) IF we can do this, and b) How to do it with the HTTP server.

This is where we really see the brain dead nature of the CERN model and the
advantages of the NCSA model. What I have done with I/Net is due to the
fact that the server is built on the NCSA model which included directory
based user and group authentication from the very beginning. CERN did not.
IBM has built work arrounds to get past the limitations of the CERN model on
this one.

V4R2 ICS and ICSS as I read the manual REQUIRED a validation list for each
subdirectory in the structure and a separate group file in each
subdirectory.

It appears that this is NOT true for the HTTP server, but there are several
issues that are completely unclear in the docs:

1) How to define group authentication rules at the directory and
sub-directory level via server directives.

2) How to create and maintain via the ADMIN function groups and group
membership via a) AS/400 security and b) via validation list objects c)
where and WHAT is the group file?

This is a piece of cake in I/Net's Commerce Server/400, Netscape (any
platform), or APACHE any platform. The rules are simple and consistent.

Bob C.



-----Original Message-----
ign_list@ignite400.org [mailto:ign_list@ignite400.org]
Sent: Thursday, February 04, 1999 12:12 PM
To: IGNITE400 MEMBERS LIST Mailing List
Group Files under the HTTP Server V430


Bleddyn Williams

I have had a look at the information on group files in the online help for
the HTTP webserver. Now that we seem to have the hand of validation lists
and using the API's to add people to them, what do group files give me?

Is it the ability to secure in the following way?

I have 4 directories and I create a validation list to protect each. Now we
have written our API interface so if you needed to you could do multiple
adds for a user to all 4 areas. But the user would then need to log in 4
times when they want to access each area. Does a group file give me the
ability to say that if a user has logged into one area and the group file is
included against say DIR 2 that they wont need to log in again? Also what
sort of object is a group file is it just a stream file do I create it or
does the system?

The following is from the doc

You can specify a group name that is defined in the server group file. A
group name can include user names, other group names, and address templates
in any of the same formats allowed on masking subdirectives. To be valid,
any user names included in the group name must also be defined in the
protection setup validation list or AS/400 user profile. If the requester
returns a valid user name and password and if any address templates are
matched, then the server completes the request.


Thanks
Bleddyn

http://ignite400.org/ your AS/400 Internet/Intranet questions answered.

--- IGNITE400 MEMBERS LIST
What AS/400 IP services do you run?

http://ignite400.org/member/html/survey.htm


Posted by  Subject  Date 

Return to the Mailing List Archive Page
Click to return to home page
© Copyright 1999 by IGNITe/400
This page last updated Sat, 21 Aug 1999 16:41:00