The ways to control user access to MCP resources are
-
Read and write access
-
Application authorization
-
IP address restriction
-
Secure connection requirement
-
Client certificate requirement
-
Delaying authentication responses
Read and Write Access
You can configure virtual and physical directories in the Web Transaction Server for read access and write access with the following restrictions:
-
Anonymous Only
The request for resources through the anonymous usercode is limited to the files that are visible from the anonymous usercode.
-
Authorization Required
A valid MCP usercode and password must be supplied to access the resource. If the user request does not contain an authorization header, or is not received over an authenticated dialog, the Web Transaction Server responds with a “401 – Unauthorized” response, and the browser operator is prompted to supply a usercode and password.
-
Anonymous/Authorized
The Web Transaction Server first attempts to access the resource as an anonymous user. If the resource cannot be accessed, the Web Transaction Server follows the restriction procedure for Authorization Required.
-
None
Access to the resource is not allowed. If directories or subdirectories of files should not be visible through the Web Transaction Server, define a virtual or physical directory as None to prevent access.
Application Authorization
Read and write access only applies to files and directory listings. For applications that extend the Web Transaction Server, the following authorization restriction settings apply.
-
Basic
The user must be a valid MCP user before the request is passed to the application.
-
NTLM Only
The user must authenticate to Web Transaction Server with NTLM.
-
Kerberos or NTLM
The user must authenticate to Web Transaction Server with either Kerberos or NTLM.
-
None
The Web Transaction Server does not check the user authorization before passing the request to the application. The application can apply its own authorization checking, because the application can get the user password if the Web Transaction Server configuration allows it.
IP Address Restriction
In an environment with fixed IP addresses, virtual and physical directories can be configured to grant or deny access from IP addresses. Requests from IP addresses that are denied access are rejected with a “403 (Forbidden)” or “404 (Not Found)” response. IP addresses can be defined as specific addresses, groups of addresses, or as address ranges.
TCP/IP Filtering can also be used to block access to a specific port, such as port 80, which is the default port for HTTP. Using the Web Transaction Server IP Address Restriction feature enables access to some MCP resources through the Web Transaction Server without locking out the user from all resources.
Secure Connection Requirement
Directories and applications can have their access restricted to only those clients who use a secure connection, and optionally those clients who use a high level of encryption (128 bits or higher). Secure connection requires access to Web Transaction Server over a SSL/TLS connection.
Client Certificate Requirement
Further extending the secure connection requirement, directories and applications can have their access restricted to only those clients who supply valid client certificates. The certificates must be stored on the MCP.
