Planning Application Security Based on Web Authentication

As mentioned earlier, Web authentication is based on what is called Basic Authentication. When you are planning Web security you need to be aware that Basic Authentication does not happen automatically. Two actions force Basic Authentication:

• When a Server has been set to not allow Anonymous access (as mentioned above).

• When a Web user tries to do something he or she is not authorized to do.

Designers set the level of access that users or servers have to a specific database through the ACL (Access Control List). This access level determines what the user can do and what data servers can replicate. Every database has an Access Control List that needs to be set.

When users try to do more than they are allowed, they are prompted with a Name and Password login screen. Users who have a Person document with a matching Name and Internet Password are authenticated and get the individual or group access they are assigned in the database ACL.

An example of how the ACL could be set is if you have a designer who wants the general population to be able to open and read documents in your company's catalog. Just a select few should be able to create documents. If you set Anonymous to Reader access and the select few to Author access in the ACL, all users can open this database, read all the documents, and not be forced to authenticate. Any person who tries to create a new document (Anonymous is not authorized to do this) is forced to authenticate.