User Validation and Access Control
The server uses both password and the access control to make sure user has sufficient
rights to access the server functions.
Password
Each user can have a password assigned by the administrator. The password file is
usually stored in the CONFIG directory. Password file contains basic user information and
an encrypted digest.
- Create a new user file: Go to the Server Administration section, and select Create
New User File. You must specify the user file name and the administrators name and
password here.
- Add new user: Select the Add New User from the Server Administration section. Each user
must have a group. each user group has specific access rights assigned in the server
configuration file. We will discuss this later. Only the administrators can add new users.
- Revoke User: This remove the user from access the server.
- Change Password: Old password is required for changing password. If the password is
forgotten, a new user needs to be created.
User management messages
The above functions are accomplished through User Management Messages. User management
messages is a subset of Admin messages. The action parameter should be /admin in the HTTP
form. There is a Request parameter for user management which specify the detailed request
such as Add User, Revoke User, and so on.
Create New User File
The following is a sample form for send the message, the size of the
text box is unimportant:
<FORM METHOD=POST ACTION="/admin">
<INPUT TYPE=hidden Name="Request" VALUE="NewUserFile">
<PRE>
User File Name : <INPUT
NAME="FileName" TYPE=text SIZE="30">
Admin Name : <INPUT
NAME="AdminName" TYPE=text SIZE="30">
Admin Password : <INPUT
NAME="AdminPassword" TYPE=password SIZE="30">
Password Confirmation: <INPUT NAME="PasswordConfirm" TYPE=password
SIZE="30">
</PRE>
<P><INPUT TYPE=submit><INPUT
TYPE=reset></FORM></P>
Add New User
The following form sends a request for add a new user.
<FORM METHOD=POST ACTION="/admin">
<INPUT TYPE=hidden Name="Request" VALUE="AddUser">
<PRE>
User Name : <INPUT
NAME="UserName" TYPE=text SIZE="30">
Description : <INPUT
NAME="Description" TYPE=text SIZE="30">
Password :
<INPUT NAME="Password" TYPE=password SIZE="30">
Password confirmation: <INPUT NAME="PasswordConfirm" TYPE=password
SIZE="30">
User right (s|o|m) : <INPUT NAME="Rights" TYPE=text
SIZE="30">
Admin Name : <INPUT
NAME="AdminName" TYPE=text SIZE="30">
Admin Password : <INPUT
NAME="AdminPassword" TYPE=password SIZE="30">
</PRE>
<P><INPUT TYPE=submit><INPUT TYPE=reset></FORM></P>
Revoke User
The user is removed from the password file if the message is
processed successfully.
<HR><FORM METHOD=POST ACTION="/admin">
<INPUT TYPE=hidden Name="Request" VALUE="DeleteUser">
<PRE>
User Name : <INPUT
NAME="UserName" TYPE=text Size="30">
Admin Name : <INPUT
NAME="AdminName" TYPE=text Size="30">
Admin Password : <INPUT
NAME="AdminPassword" TYPE=password SIZE="30">
</PRE>
<P><INPUT TYPE=submit><INPUT TYPE=reset></FORM></P>
Change Password
This message is actually not a user access control message, it will be moved out of the
group soon. (You will need administrators privilege in order to change your password :-).
<HR><FORM METHOD=POST ACTION="/admin">
<INPUT TYPE=hidden Name="Request" VALUE="ChangePassword">
<PRE>
User Name : <INPUT
NAME="UserName" TYPE=text SIZE="30">
New Password : <INPUT
NAME="Password" TYPE=password SIZE="30">
Password confirmation : <INPUT NAME="PasswordConfirm" TYPE=password
SIZE="30">
Old Password : <INPUT
NAME="OldPassword" TYPE=password SIZE="30">
</PRE>
<P><INPUT TYPE=submit><INPUT TYPE=reset></FORM></P>
User Groups and Privilege Assignment
User group can be defined easily in the server configuration file. A group name is a
single character (This is is so for implementing users in multiple groups). It can be a-z
and 0-9, so we have 36 user groups. The format is something like this:
[UserGroup]
;Administrator
@s=rwem
;Operator
@o=rw
;normal user
@u=rw
Note that an @ sign is added to the group name to avoid name collision. for instance,
we define
@s=rwem
as administrator. it has r = "read", w="write",
e="execute" and m="management" access rights. The access letter are
totally arbitrary as long as it matches the privilage associated with the request, which
is specified similar to the following:
[OperationRights]
; rights associated with operations
@ShowFile= r
@Query= r
@RecordQuery= r
@AdminQuery= rwe
@BrowseQuery= r
@SQL= e
@ShowTables= r
@Insert= e
@Update = w
@Delete = e
@Browse = r
@AddForm = e
@Detail = r
@Display = r
@GetCA = r
@GetCertificate=r
@FindObject = r
@GenerateHTML = ew
@UpdateConfig = rwem
@Admin = rwem
On the left side of the equal sign is the name of the request, on the right side is the
privilage required. For instance
@Admin=rwem
matches the Administrators rights in the user group.
For example, if you want to give SQL Insert a special privilege assignment to limit
such action, you would assign it a new access letter, lets say 'i' and change @Insert= e
to
@insert = i
in the OperationRight section. If you want give such a right only to the administrators,
you would change the @s in the user group to:
@a=rwemi
note that the last letter i assign the SQL Insert right to the administrators.
You can add more operations and new user groups by simply editing the server
configuration file.
| 