By: Kurt Seifried, [email protected], Copyright Kurt Seifried, 2001
There are many different webservers, all supporting the same basic functionality (that is to say making information available via HTTP and the HTTPS protocols). Some webserver products however have quirks, or additional features that may be of use when conducting web based authentication.
8.1 Apache based
Apache is one of the more popular web servers, with over 50% of the market in non-secure web serving and a good chunk of the secure market. There are a variety of non-commercial and commercial based Apache servers capable of secure webserving (generally the non-commercial ones cannot legally be used in the USA due to the RSA patent). Apache has a large number of features to help handle user sessions and otherwise track them using Perl, Java servlets and other methods. The following is a list of URL's covering the various techniques:
http://perl.apache.org/embperl/Embperl.pod.6.html
http://www.apache.org/docs/mod/mod_usertrack.html
http://java.apache.org/jservssi/
http://java.apache.org/jservssi/parameterprop.html
http://java.apache.org/jservssi/dist/ApacheJSSI-1.1.2/docs/parameterprop.html
8.1.1 Apache-SSL
Apache-SSL has no substantial authentication features not included in the standard Apache.
8.1.2 Apache mod-ssl
Apache mod-ssl has no substantial authentication features not included in the standard Apache.
8.1.3 Raven
Raven has no substantial authentication features not included in the standard Apache.
http://www.covalent.net/products/ssl/
8.1.4 Red Hat Secure Server
Red Hat Secure Server was originally based on Apache and had no substantial authentication features not included in the standard Apache.
Red Hat purchased Stronghold and has phased out this product.
8.1.5 Stronghold
Stronghold has no substantial authentication features not included in the standard Apache.
http://www.c2.net/products/sh3/
Stronghold was purchased by Red Hat.
8.2 Netscape
8.2.1 Netscape Enterprise
http://home.netscape.com/enterprise/v3.6/
8.3 Roxen
Roxen supports setting a user session cookie (configured through the www interface on a per virtual server basis). Roxen also has RXML, a very powerful scripting language that has features to track the user through a session. Roxen has several excellent PDF documents on these features at their website (click on Documentation).
8.4 Zeus
Zeus has a distributed authentication and content module that allows you to host authentication and / or content on another machine. The authentication portion is a rather a simple protocol which send the name, password, a cookie, and so on, and receives a reply either specifying that the user is allowed in, not allowed in, or tell the user that they need to put a password in. An example server is given in Perl (about 100 lines of code, not to tricky) which reads authorization data from a text file, however you could write one that uses a MySQL database for example. To read the documentation on this feature either open up the help on the initial page and go to the "Documentation index", then choose "Web Server", "Modules", "distributed", or go to a server configuration page, choose modules, then "distributed" and the documentation page will be available also.
http://localhost:9090/apps/web/docs/modules/distributed/index.html
Zeus can also use any Java servlets written for Apache Jserv "out of the box". So the following items should work with no particular problems:
http://java.apache.org/jservssi/
http://java.apache.org/jservssi/parameterprop.html
http://java.apache.org/jservssi/dist/ApacheJSSI-1.1.2/docs/parameterprop.html
8.5 Novell
Novell uses Netscape FastTrack server for their web serving requirement, and with Novell 5.1 they ship IBM WebSphere Application Server 3.0 for NetWare, Standard Edition.
http://www.nwconnection.com/dec.99/websphered9/index.html
8.5.1 Novell BorderManager
No notes yet.
http://www.novell.com/products/bordermanager/
8.5.2 Novell ICS
No notes yet.
http://www.novell.com/products/ics/
Novell ICS has been split off as part of a new company called Volera.
8.6 IBM Websphere
No notes yet.
http://www-4.ibm.com/software/webservers/
8.7 Volera
No notes yet.
Volera is a combination of Novell ICS and other technology from Nortel and Accenture.
8.8 Squid
No notes yet
http://www.squid-cache.org/Doc/FAQ/FAQ-17.html
8.9 Achilles
Achilles proxies HTTP SSL connections allowing you to easily examine and modify the contents of an "encrypted" session. It is very useful for testing online authentication systems over HTTP SSL to see exactly what is going on.
http://www.digizen-security.com/