Protection Setup File

Each protect rule has an associated protection setup file. It specifies valid authentication schemes, password and group files, and password server-id.

Valid Authentication Schemes

Valid authentication schemes are listed in a single authenticate field: 
    authenticate  Basic, KerberosV4
Note: KerberosV4 authentication is here only as an example; it has not been implemented as part of the library.

Mask Group

Protecting Entire Tree as one Entity

If you want to control access only to entire trees of documents and don't care to restrict access differently to individual files, it suffices to give a mask-group in setup file (and you don't need any ACL files): 
    mask-group  group, user, group@address, ...
Group definition has the same syntax as in group file.

Protecting Individual Files Differently

When each individual file needs to be protected separately you should use an ACL (access control list) file in the same directory as the protected files. After that no file in that directory can be accessed unless there is a specific entry in ACL allowing it.

In this case you don't need the mask-group in setup file.

Restricting Access Even Further

There may be both mask-group and an ACL, in which case both conditions must be met. This is typically used so that mask-group defines a general group of people allowed to access the tree, and ACLs restrict access even further.

Basic Scheme Specific Fields

If Basic scheme is one of the valid schemes there should be the following fields in the protection file: 
        server-id     OurCollaboration
        passwordfile  /WWW/Admin/passwd
        groupfile     /WWW/Admin/group
Password and group files must be absolute pathnames.

The purpose of server-id is to inform the browser about which password file is used; different protection setups (different collaborations) on the same machine can use different password file and that would otherwise confuse pseudo-intelligent clients trying to automatically figure out which password to send.

Note 1: Same server-ids on different machines (or different ports on the same machine) are considered different by clients (otherwise this would be a security hole).

AL 12 December 1993