Access Control Criteria Options
Overview
Access control can be based on two criteria, the user sitting at the machine or the machine itself. This allows you to specify access restrictions which are based on person and on organisation. Host based access control can validate clients using IP number or domain name. Authenticated access control is based on a User ID and Password challenge. Both of the approaches can be used together to allow extra security within an organisation.Host Based Access Control
Host based access control enables pages to be protected by client location. The server will restrict pages based on either the IP numbers or DNS names listed in the dynamic configuration file. You may want some pages on your server to be accessed only by individuals within your organisation, or customer pages which shouldn't be access by the general public. Host based authentication provides a reliable method of restricting access, while keeping administration simple, and the system easy to use.If the server determines a client request should not be fulfilled, the page requested will not be sent and a "HTTP 403 Forbidden" error will be returned.
Domain Names and IP Numbers
Domain names provide the human readable machine address which we are used to seeing in URLs and email addresses. These names are usually allocated by organisation, so provide a simple means of identifying who is connecting to your web site.IP numbers are the machine address which the DNS names are mapped onto. They are usually allocated as blocks or subnets as required, one organisation may have a number of IP subnet blocks.
IP subnets can be specified in one of three ways.
In many cases IP numbers and DNS names can be specified using extended regular expressions. Regular expressions allow sophisticated pattern matching to be used for host matching, but need to be constructed carefully to avoid security holes. See the associated document Using Regular Expressions for more information.
- A partial IP-address
For simple class A or B or C subnetting, specify the partial IP address, plus a trailing ".", e.g. 10. to specify the class A 10.255.255.255 network.- A network/netmask pair
A.B.C.D/X.Y.W.Z where A.B.C.D is a network, and X.Y.W.Z is a netmask, e.g. 10.0.0.0/255.0.0.0.- A network/n CIDR specification
A.B.C.D/n where A.B.C.D is a network, and n is a number between 1 and 32 specifying the number of high-order 1 bits in the netmask. i.e. 10.0.0/8 is the same as 10.0.0.0/255.0.0.0NOTE: In order to perform access control by DNS names, the website must be setup to perform DNS resolution of clients.
By default, the DNS or IP string will match the client, if the client's DNS or IP string 'ends-with' the string you have provided. E.g. .mysite.com will match host1.mysite.com & host2.mysite.com. To specify a regular expression for the match list, the string should begin with a '~', e.g. ~^(host1|host2)\.mysite\.com$.
Examples :
Absolute Names : ribble.webcom.co.uk swale.webcom.co.uk Sub Domains : .webcom.co.uk .co.uk Absolute IP Numbers : 194.33.68.245 194.33.68.134 IP Subnets : 194.33.68. 194.33. IP network/netmask pair: 194.33.68.0/255.255.255.0 194.33.0.0/255.255.0.0 IP network/CIDR representation: 194.33.68.0/8 194.33.0.0/16 Regular expressions: ~^(host1|host2)\.mysite\.com$ It should be noted that any individual who uses a machine within the specified domain will be permitted to view the restricted pages. Additionally the DNS system has vulnerabilities which allow malicious but technically adept Internet users to "spoof" their DNS names, giving the impression they are within a different domain. Such instances are rare, but it may represent an unacceptable risk for some organisations In which case host based access control should use IP numbers or be augmented by user access control.
Authentication Access Control
Host based access control works well in most situations, particularly when the access to the information should not be made public, but is not sensitive or commercially valuable. Authenticated access control can offer a greater degree of security by requiring the client to supply a valid username and password before sending the information. It can also be more flexible, allowing authorised users to connect from any machine on the network. User and host based access control can be used together to provide the maximum security option. Authenticated access control has a number of additional administrative overheads, which make it a little more complicated than host based access control.How Authenticated Access Control works
When a client tries to connect to a resource which is protected with Authenticated access control the server will return a HTTP Status code value "401 Unauthorised" to the client. The client should then display a dialogue box asking for a username and password. The resource is then requested again, this time the client will include the "Authorised" HTTP header which includes the username and password. The server then compares them against user lists and if both fields are valid the server will return the resource. If the username or password is incorrect, the server will again return the HTTP Status code value "401 Unauthorised" header, where by the client can ask again for the login details.To access resources which are protected with Authenticated access control the client must provide the login details for each request. If the client is prompted for login details for every file it transferred the process would be slow, tedious and inconvenient. To solve this problem the client will send the "Authorised" HTTP header, for each subsequent request from the site.