Often, you need to be able to allow everyone to connect to your site, but restrict
a handful of hosts or domains. MacHTTP's default behavior is to disallow all clients
except those explicitly listed in the MacHTTP.config file if any ALLOW or DENY
statements are present. To overcome this behavior, you can easily allow everyone
using the following 9 ALLOW statements, followed by any DENY statements as needed:
ALLOW 1
ALLOW 2
...
ALLOW 9
DENY some_site.edu
Another alternative to this technique is to run multiple MacHTTP servers on the same Mac. You can run a public server that is available to everyone on one PORT, and a secure server on a separate PORT (use the PORT command in the MacHTTP.config file to define which TCP/IP port MacHTTP listens to.) Make sure that the MacHTTP applications running on different ports live in different folders with separate config files and settings files.
How authentication works:
The Basic authentication scheme is built into most WWW clients (older versions
of MacWeb and Mosaic do not support authentication). Authentication is OPTIONAL
and you may choose not to activate any password-based security on your server.
When a file or folder is restricted to access by certain users, MacHTTP returns a
result to WWW clients that forces them to prompt the user for a username and
password to access the file. Assuming the username and password sent to MacHTTP
from the client are valid, the requested file is returned. Future requests for
files requiring the same permissions will cause the WWW client to send the
username and password automatically. Normally, this means a user will only have
to enter a password once for convenience purposes.
How MacHTTP implements authentication: MacHTTP allows you to divide your files and folders into multiple security "realms." Files and folders are placed in a realm, based on the text of the URL to the specific file. For example, suppose you want to configure your server so that you have some files available to everyone, some files availalble to co-workers, and some files available to customers.
The MacHTTP.config file adds a new command, "REALM", which allows you to do this. The syntax of the REALM command is:
REALM <match_string> <descriptive_name>
where match_string represents some substring of a URL that will be unique to all files in that realm and descriptive_name is text (no spaces!) that describes the realm in human readable terms. The arguments to REALM are case insensitive.
Back to the example, assume your config file contains the following lines:
REALM work Co-Workers
REALM custom Customers
Files in the Co-Workers realm may have names like:
http://your.host/working_draft.html
http://your.host/work-info/staff_photo.gif
http://your.host/personnel/workers_comp.html
Customer files may look like:
http://your.host/customer_data/price_list.html
http://your.host/custom_designs.html
Using the "Co-Worker" example, MacHTTP looks for the match_string "work" in a URL. If it sees it, it requires authentication from the WWW client before it will allow access to the file. Notice that the substring "work" can be part of the file name, or a folder containing the file. MacHTTP will find the substring anywhere in the URL, so you can control access to multiple files by placing them in a folder whose name contains a realm's match_string. Be careful not to have a single URL match two realms. If this happens, MacHTTP uses the first realm that matches, in the order that they are entered in the config file.
Once it has found that a file requires authentication, MacHTTP sends the appropriate message to the WWW client and passes the descriptive_name (in this case "Co-Workers") to the client. The WWW client will show this string to the user when it prompts the user for a username and password. MacHTTP will use a combination of the username and the realm to look up the correct password from the new "MacHTTP Settings" file. If the password supplied by the user matches the password found in the settings file, the file will be returned to the user.
The MacHTTP Settings file:
This file is where username and password information is stored for all users
authorized to access restricted files on your server. The information is stored
as STRing resources, so there is no possibility that a remote user can download
this information from your server. Ultimately, many of MacHTTP's settings and
configuration information stored in the MacHTTP.config file will move to the new
settings file. For the time being, there will be one more file to clutter up your
MacHTTP folder.
Creating Passwords:
Assuming that there is at least one REALM statement in your MacHTTP.config
file, you can use the new "Passwords..." menu command under the "Edit" menu to
add or delete password entries from the MacHTTP Settings file. (Ultimately, there
will be balloon help and AppleGuide info for this dialog.) To add a new username,
enter the name in the "User Name" field, the password in the "Password" field,
and use the "Realms" pop-up menu to select a security realm from those defined in
the config file. Then, click the Add button. The new username will appear in the
scrolling list, along with the realm it is assigned to. Note that a user name
may be entered in multiple realms, allowing the user to be both a co-worker and a
customer, for example. Each username/realm combination must be unique within the
settings file.
To view a username's password or to delete a username, select one of the names from the scrolling list. The information comprising the username entry will be displayed in the username and password fields and the realm pop-up. Press the Delete button to remove the username. Although you may modify the values in the fields at this point, if you press the Add button, the changes will be saved as a new username and will not modify the old entry. To modify an existing username, delete the old one and add a new one.
Usernames are available immediately after adding them, so there is no need to stop or start the server. In addition, MacHTTP will continue to serve files while you are entering username info.