Username/Password access controls in SREhttp/2

SREhttp/2 Manual || Edit USERS.CFG || Edit ATTRIBS.CFG || Comparing HTACCESS and selector-specfic

Access controls in SREhttp/2

SREhttp/2 supports access control using the username & password authentication features supported by all web browsers.

Privilege based access controls

SERhttp/2 uses privileges to control access on a selector specific basis.
This method has two components:

Defining one or more users; and granting these users client privileges.
Using selector specific attributes, assign required privileges to selectors subject to access control.

When a client requests a controlled-access resource (as defined in ii), SREhttp/2 will ask the client to provide a username and password. This username and password are looked up in the database of users (as defined in i). If there is no match, access is denied -- the client is asked to reenter a username and password.

If there is a match, SREhttp/2 will then compare the client privileges (granted to this user) against the required privileges (assigned to this selector). If they do not match, access is denied -- the client is asked to reenter a username and password.

If they do match, access is granted -- for example: the document is sent, or the script is executed.

For further details ...

Defining users,
... or see the handy outline of the steps that SREhttp/2 uses to determine whether to grant a client's request
Defining selector specific attributes,
... in particular the required privileges

HTACCESS based access controls

In addition to the above method of controlling access, SREhttp/2 also supports the HTACCESS access control method. In fact, you can use both methods -- the selector-specific privileges based method described above and HTACCESS -- simultaneously.

Pros and Cons: HTACCESS vs. selector specific

HTACESS	Selector-specific
Pros
To protect all the files in a directory, you don't need to figure out which selector (or selectors) map to this directory. All subdirectories are also subject to access controls, unless they have their own HTACCESS file. HTACCESS files are something of a standard -- SREhttp/2 implementation of the HTACCESS method is reasonably similar to what many other servers use.	Fine control -- you can specify directories, or single files within a directory. You can control access to CGI-BIN scripts and to SREhttp/2 addons. Optimized for speed (uses information stored in memory). In addition to access control (and redirection), you can specify a wide variety of other selector-specific attributes.
Cons
Can be slow -- HTACCESS (and user) files need to be read on each request. Coarse grained -- all files in a directory have the same access controls. Fewer options -- in SREhttp/2, HTACCESS is only used for access controls, redirection, assignation of default files, and suppression of directory listings.	Only supported by SREhttp/2. Requires centrallized files (one ATTRIBS.CFG file for each host). This may become large and cumbersome if you have a great many seperate access control instructions. To control access to specific files, the webmaster must determine which selector (or selectors) map to these files.

Caution

If you simultaneously use the HTACCESS and the privileges based methods to control access to a given resource -- make sure that you don't have contradictory requirements.

That is, make sure that a client has a username and password recognized by the appropriate HTACCESS file, and client privileges (associated with one of these usernames and passwords) that match the selector-specific required privileges.