WASD offers a comprehensive and versatile authentication and authorization environment. A little too comprehensive, often leaving the new administrator wondering where to begin. The role of this chapter is to provide a starting place, especially for sources of authentication, along with some basic configurations. 11 - Authentication and Authorization contains a detailed explanation of all aspects. All examples here assume a standard installation and environment.
Just to clarify. Authentication is the verification of a
user's identity, usually through username/password credentials.
Authorization is allowing a certain action to be applied to a
particular path based on that identity.
10.1 - Identifier Authentication
This setup allows any active account to authenticate using the local VMS username and password. By default not every account may authenticate this way, only those holding specified VMS rights identifiers. See 11.9.1 - Rights Identifiers.
$ DEFINE /SYSTEM HTTPD$SERVER_STARTUP "/SYSUAF=ID" $ @device:[HT_ROOT.LOCAL]STARTUP.COM
$ SET DEFAULT SYS$SYSTEM $ MCR AUTHORIZE UAF> ADD /IDENTIFIER identifier_name
["Whatever you want to call it!"=identifier_name=id] /ht_root/local/* r+w /httpd/-/admin/* r+w
UAF> GRANT /IDENTIFIER identifier_name account
["Web Administration"=web-identifier_name=id] /ht_root/local/* r+w /httpd/-/admin/* r+w ["Area Access"=area-identifier_name=id] /web/area/* r+w ; r
If the use of identifiers is impractical for some reason, this alternative setup allows any active, non-privileged account to authenticate using the server system VMS username and password.
$ DEFINE /SYSTEM HTTPD$SERVER_STARTUP "/SYSUAF" $ @device:[HT_ROOT.LOCAL]STARTUP.COM
["Whatever you want to call it!"=VMS] /web/area/* r+w
Update access (read+write) may be provided to the authorized and read-only access to the world using syntax similar to the following example. This applies to all authentication sources.
/web/area/* r+w ; r
["Realm Name"=VMS] /web/area1/* r+w,~username1,~username2 /web/area2/* r+w,#host1,#host2,~username3
or using access groups (see 10.4 - Read and Write Groupings)
["Realm Name"=VMS;list_name1=list] /web/area1/* r+w ; ["Realm Name"=VMS;list_name2=list] /web/area2/* r+w ; r
NOTE
To also allow privileged accounts to authenticate via the SYSUAF with this configuration change the logical definition as follows.$ DEFINE /SYSTEM HTTPD$SERVER_STARTUP "/SYSUAF=RELAXED"This is not a recommended configuration.
Using VMS identifiers is a far better solution. See previous section.
Other sources of authentication are available, either by themselves or used in the same configuration file (different realms and paths) as those already discussed. See 11.4 - Authorization Sources. Non-SYSUAF sources do not require any startup qualifier to be enabled.
["Whatever you want to call it!"=list-name=list] /web/area/* r+w ; r
This is a very simple arrangement, with little inherent security. Lists are more useful when grouping names together for specifying which group may do what to where.
["Whatever you want to call it!"=HTA-database-name=HTA] /web/area/* r+w ; r
These databases may be administered using the Administration Menu, are quite secure and versatile.
["Whatever you want to call it!"=agent-name=agent] /web/area/* r+w ; r
WASD allows separate sources for groups of usernames to control read and write access in a particular realm. See 11.5 - Realm, Full-Access, Read-Only. These groups may be provided via simple lists, VMS identifiers, HTA databases and authorization agents. The following example shows an identifier authenticated realm with full and read-only access controlled by two simple lists. For the first path the world has no access, for the second read-only access (with the read-only grouping becoming basically redundant information).
["Realm Name"=identifier_name=id;full_access_name=list;read-only_name=list] /web/area/* r+w ; /web/another-area/* r+w ; r
Multiple authentication sources (realms) may be configured in the one HTTPD$AUTH file.
Multiple paths may be mapped against a single authentication source.
Any path may be mapped only once (for any single virtual service).
Paths may have additional access restrictions placed on them, including client host name, username, etc. See Access Restriction List.
The configuration file is loaded and stored by the server at startup. If changed it must be reloaded to take effect. This can be done manually using
$ HTTPD/DO=AUTH=LOAD
Authentication information is cached. Access subsequently removed or modified will not take effect until the entry expires, or is manually purged using
$ HTTPD/DO=AUTH=PURGE
Failed attempts to authenticate against a particular source are limited. When this is exceeded access is always denied. If this has happened the cache must be manually purged before a user can successfully authenticate
$ HTTPD/DO=AUTH=PURGE