[ Pobierz całość w formacie PDF ]
.Using the preceding host-based access-control configuration, a site can allow anyone to run a CGI script butonly allow a certain site (in this case, yourdomain.com) to actually post data toone or more CGI scripts.This gives the CGI access in such a site a bit of read-onlycharacter.Everyone can run applications that generate output without taking anyuser input, but only users of a certain domain can provide input.e4821-2 ch07.F 2/22/02 10:12 AM Page 195Chapter 7 &' Authenticating and Authorizing Web Site Visitors195Combining Authentication and AuthorizationThe basic HTTP user authentication support in mod_authand access authorizationsupport in mod_accesscan be combined to implement practical access controlproblems.For example, lets say that you want to allow a group of users access to athe /aolbuddies/sections of your Web site only if they are browsing the Web sitevia an AOL connection.Here is the configuration that you can add to httpd.confafter replacing the path and filenames as appropriate:Alias /aolbuddies/  /path/to/web/directory/for/aolbuddies/Deny from allAllow from.aol.comAuthName  AOL Buddies OnlyAuthType BasicAuthUserFile /path/to/.myusers.pwdAuthGroupFile /path/to/.mygroupsrequire group aolbuddiesSatisfy allThe Satisfy alldirective tells Apache to only allow access to those who passboth authentication and authorization tests.When an AOL user connects tohttp://your_server/aolbuddies/via AOL, the user is prompted for a usernameand password.If the user enters a username that belongs to the aolbuddiesgroupand the user s password is correct, the user will be allowed access.NoteYou must add all your AOL buddies as users in /path/to/.myusers.pwd andalso create a group called aolbuddiesin /path/to/.mygroupsmwhich lists allthe AOL buddies (users in /path/to/.aol that you added earlier) in it.Authenticating with a Relational DatabaseIf you run a relational database server on your network (or even on the Web server)and have a lot of users (that is, more than 1,000 users) to authenticate via the Web,you can use the database server to replace the text file-based (mod_auth) authenti-cation discussed earlier.There are several advantages to using a database serverfor large number of users; the primary advantages are:&' The mod_authauthentication becomes really slow when a large number ofusers are stored in a text file.&' If you allow users to change their passwords via the Web by using a customapplication, text files are not safe because you must ensure that write accesse4821-2 ch07.F 2/22/02 10:12 AM Page 196Part II &' Web Site Administration196to the file is locked and unlocked properly.Storing data in database serversremoves such additional burden from your scripts and provides a much bet-ter degree of overall data integrity.&' In a relational database you can store a great deal of information about a userthat can be used by your Web applications.So, centralizing your userdatabase using a database server such as MySQL makes good sense for thelong-term.NoteYou can use most modern relational database servers such as MySQL, Postgres,DB2, Oracle, and Microsoft SQL as the user database.Installation of any of thesedatabase servers is beyond the scope of this book.I assume that you haveinstalled one of these database servers on your network or on the Web server.TipFor a site that has many users, you may want to create a dedicated database serverthat is accessible on your Web network.Ideally the database server should beaccessible via a back-end network instead of the Internet.Most of the time, it isbetter to have a second Ethernet interface on each server system and to create aLAN that is only accessible to the servers in the LAN.(See Chapter 23 for details onhow to create such network.)Using MySQL database server for authenticationMySQL is the most widely used free database server in the open source community;it is available under the GNU Public License.It is easy to install and set up yourserver as a user-authentication database server.With the Linux platform, you cansimply download and install the server, client, and development RPM packages andcan be ready in a matter of minutes! MySQL server is available for download atwww.mysql.com.Creating the user-authentication database in MySQL serverTo use MySQL server as an authentication database you need to have at least user-name and password information in a table in a database.If you already have anexisting database table with such information you do not need to follow the stepsgiven here.1.Log on to the MySQL server using the mysql -u root -pcommand.You willbe asked to enter the root password for the database.CautionThe root password for the MySQL server should always be different than the rootpassword on your Unix system.They serve different purposes and thereforeshould be kept apart.2.After you are logged into MySQL, run the create database auth;command,which creates a database called auth.e4821-2 ch07.F 2/22/02 10:12 AM Page 197Chapter 7 &' Authenticating and Authorizing Web Site Visitors1973.Change your current database to the newly created authdatabase using thefollowing command:use auth;4.Now create a table called wwwusersby entering the following lines in theMySQL command prompt.create table wwwusers (username varchar(40) not null primary key,passwd varchar(20) not null);Each row in this table consists of three fields: username, passwd, and groups.The usernamefield is the primary key, which means that MySQL uses thisfield to index the table, making lookups that use the username very fast.Thisfield is limited to 40 characters.The use of varchar (variable character)instead of fixed char type saves space if usernames are not always 40 charac-ters.The usernamefield cannot be null (that is, empty) because it is also theprimary key.The password field is called passwd, which is a maximum of 20characters long and of the varchar type.It cannot be null.5.Now enter describe wwwusers;command, which should show the followingoutput:mysql> describe wwwusers;+----------+-------------+------+-----+---------+-------+| Field | Type | Null | Key | Default | Extra |+----------+-------------+------+-----+---------+-------+| username | varchar(40) | | PRI | | || passwd | varchar(20) | | | | |+----------+-------------+------+-----+---------+-------+2 rows in set (0.00 sec)This is a verification of the fact the table wwwuserswas created as desired.6.Now you need to add user(s) to the table [ Pobierz całość w formacie PDF ]