Authentication is the verification of a user's identity, usually through username/password credentials.

Authorization is the control of a given action based on that identity.

VWcms identifies a user by authenticating with username/password and then who are allowed to manage a site.  It is also possible to use authentication to control who views a site.

Authentication Source

VWcms can verify username/password credentials from these sources.  Only one may be used with any single site.

• VMS - the VWcms's system SYSUAF (via ACME as applicable)
  
      [login-source]  VMS
  
  For platforms supporting ACME there are optional, additional directives providing parameters to ACME.
  
      [authvms-acme-doi]
      [authvms-acme-no-restrict]
  
  VMS authentication should only be used on secure connections (see below).
• VWCMS - username/password pairs in plain text included in the per-site VWcms configuration file.
  
      [login-source] VWCMS
      [login-credentials]  curly=Jerome,larry=Louis,moe=Harry
  
  This allows simple ad hoc access to a site or site management.
• AGENT - local DCL procedure that performs the authentication itself using parameters passed to it from VWcms.
  
      [login-source]  @cgi-bin:[000000]vwcms_authenticate.com
  
  For implementation detail see the source code module LOGIN.C

• REMOTE_USER - the supporting web server provides its own authentication (see below).
  
      [login-source]  REMOTE_USER
  
  VWcms provides no authentication configuration.  Authorization can still be performed with the supplied username.

Secret

To enable authorization an encryption secret must be configured (with the exception of REMOTE_USER).  This is a string of at least 24 characters (the longer the better) containing alphanumerics and punctuation in any order.  The following is an example.

[login-secret]  f589b+j=&5gfjkl*H7Bkd-%ht?m,vZ@1hj]3Asrqm^b

A secret can be changed at any time (and perhaps periodically should be) with the proviso any current authentications will become invalid.

SSL Only

When authentication credentials are supplied in clear-text there is the potential for sniffing.  If the directive [login-SSL] is non-empty authentication is only accepted on a secure (https://) connection.   The directive can either be a message with that information or if https:// will automatically redirect the request to an SSL URL.

[login-SSL]  https://

Login Alias

This allows one username to be mapped to another before authentication.  An example might be using an email address or local mailbox name as the 'username' and mapping that to a VMS username before authenticating against the SYSUAF.

Alias mapping is performed in the configuration file. The format is one alias mapping per line. Mapping is performed using a case-insensitive match.

[login-alias]
Mark.Daniel/DANIEL
Fred.Bloggs/BLOGGS

If a match is not made and no mapping has occurred the default (drop-through) behaviour is to use the original user-supplied 'username' string and so in the above configuration both "Mark.Daniel" and "DANIEL" would authenticate against the DANIEL account, "Fred.Bloggs" and "BLOGGS" against BLOGGS.  Of course any other supplied username could also authenticate directly using the username. To prevent any other than an aliased username being used for authentication conclude the list with "*/-".

[login-alias]
Mark.Daniel/DANIEL
Fred.Bloggs/BLOGGS
*/-

In the above example only "Mark.Daniel" and "Freg.Bloggs" can be supplied to allow authentication.

REMOTE_USER Authentication

This authentication environment uses web server configured authorisation to supply the username.  When this is configured VWcms does not perform it's own authentication and a [login-secret] is not required.  If REMOTE_USER is configured and the web server does not provide authentication VWcms returns an error message.

Web server authorization is usually configured on a per-path basis.  Unless VWcms is configured for site access authorization (see below) a separate path ("site") is required to enable authorized access for site management.  One solution would be to provide general access using standard HTTP (http://) and site management through authorized secure HTTP (SSL, https://). Login aliasing cannot be applied to REMOTE_USER authentication.

Site Management Authorization

By default site management is disabled.  VWcms configuration must explicitly allow site management.  The asterisk parameter permits all who can authenticate against the site to manage the site.

    [site-manage]  * 

To restrict management to a subset of such users use a comma-separated list of such usernames.

    [site-manage]  curly,larry,moe

To explictly exclude one or more usernames from the larger group prefix with an exclamation point followed by a asterisk.

    [site-manage]  !shemp,*

For SYSUAF authenticated usernames site management may be controlled using a rights identifier.  Prefix the identifier name with a percentage symbol.  Multiple user names and rights identifier names may be mixed as required.

    [site-manage]  %stooges3

Site Access Authorization

To restrict site access to authenticated users use an asterisk as in the following example.

    [site-access]  *

To further restrict site access to a subset of authenticated usernames provide then in a comma-separated list.

    [site-access]  curly,larry,moe

To explictly exclude one or more usernames from the larger group prefix with an exclamation point followed by a asterisk.

    [site-access]  !shemp,*

Where site access must be authorised the only content that will be presented without it is from the login page.

As with site management, for SYSUAF authenticated usernames site access may be controlled using a rights identifier.

Mapping Changes for Authorised Site Access

(Not required when using REMOTE_USER authentication.)  With a conventional, open-access site the underlying Web server supplies non-content site resources (e.g. images, downloads, etc.).  When access to a site is limited to logged-in users VWcms itself must supply all resources (in order to control the access).  In this WASD example the previous rule, mapping the /_vdub/ resources into server-space, has been removed (commented-out).  It is replaced with rule that redirects the /_vdub/ path to /vdub/ allowing VWcms to serve the resources.

map /vdub/* /vwcms/vdub/*
#pass /_vdub/* /ht_root/src/vwcms/vdub/*
redirect /_vdub/* /vdub/*
script+ /vwcms/* /cgi-bin/vwcms/*

The VWcms file serving facility is provides only a basic service (no last-modified or other handling) and is not intended for general purpose, only for authorised site access.

When moving a site back and forth between open-access and authorization-access expect some interactions.  Do not flip back-and-forth arbitrarily.

Page Tags: