Access Control Tutorial


General Information

Access control works in two modes: normal or administration. The configuration of the two modes is the same, but uses separate access control files. The files are:
Normal mode
Directory based configuration file
Administration mode
Administrative access control file

Note that the access control-related files, like all configuration files, are read by the server at start-up and when the server is re-configured. If you are experimenting with access control and the changes do not seem to be taking effect, re-configure the server (using the SETWWWCFG command).


How Secure Is It?

Web Server/400 supports host filtering and Basic HTTP authentication for controlling access to content that is available for serving over the Web. Each kind of access control makes it difficult, but not impossible for unauthorized users to access protected content. Host filtering lets you allow or disallow access based on the client's domain or IP address. Basic authentication lets you require a user ID and password combination.

In Basic authentication, the user ID and password is not sent over the network as plain text, but it is not encrypted either. It is uuencoded, in essentially the same way as Telnet login IDs and passwords. Basic authentication is similar to Telnet security and is approximately as secure as Telnet.

For maximum security, you will want to combine host filtering and user authentication. This would force a potential intruder to both "spoof" an IP address and to "sniff" the network to find a valid user ID and password.


User Authentication Example

In this example, you will protect the "/WWWServ/WebDocs/Fun" directory, only allowing access by user "DrKatz" using the password "ProfessionalTherapist". This assumes that the server is using the default values for the server root and document root.

Host Filtering Example

In this example, you will protect the same /WWWServ/WebDocs/Fun directory, but this time, you will set it up so that only people from the .EDU domain can access it.
Also see Protecting your AS/400 information