Sambar Server Documentation
|
Server Security |
Overview The Sambar Server supports three security models:
The Sambar Server implements the above access controls with two levels of authentication information. The security.ini file found in the config directory is a global access configuration file, whereas .htaccess control files are per-directory configuration files. Both access control mechanisms can be used within the server, however care must be taken not to introduce mutually-exclusive constraints. Presently, all user-level security is independent of the native Windows NT security system. All security.ini based access controls are implemented via the sample code found in samples/source/security.c. The source code to this module was provided so that individuals that might need alternative access control mechanisms (i.e. LDAP, Windows NT domain passwords) can implement and integrate the functionality for the Sambar Server. WARNING: Because the HTTP/1.0 authentication system transmits username and password from the browser to the server unencrypted (except when SSL is used), the use of LDAP or Windows NT domain passwords for access security introduces a significant security risk. Once a user has authenticated, the browser transmits the username and password with each request it sends thereafter, making interception a fairly easy task for anyone watching packet traffic.
URL-Based Access Control The disadvantages to this model is that all security resides in a single location and tremendous care must be taken to avoid security breaches that occur when multiple URLs map to the sample file location (i.e. use of '..', trailing periods, ~ and long file names). In addition, the configuration file is only read and parsed during server startup; the server must be restarted after subsequent modifications to the security.ini file.
File-Based Access Control
The primary disadvantages to .htaccess-based
security is the performance degredation associated with using
this model, and the lack of a browser-based mechanism for
creating or maintaining .htaccess files (a GUI mechanism for
configuring/modifying .htaccess files will be provided in
a future release). The performance problem with .htaccess
files is due to their hierarchical nature, i.e. if you have
Where possible .htaccess support in the Sambar Server attempts to remain compatible with the Apache server (when NCSA and Apache implementations differ). Not all mechanisms supported by the Apache server are supported.
Host-Based Access Control |
© 1998 Sambar Technologies. All rights reserved. Terms of Use.