Users are defined here as HTTP clients, which are usually Web browsers. Operators are the humans who use the Web browser. Users make requests to Web Transaction Server to access ClearPath MCP resources, which are files, file directory listings, or applications that extend the Web server.
ClearPath MCP resources are accessed based on the privileges that the user has on the ClearPath MCP server. When processing a request, a Web Transaction Server worker stack assumes the MCP usercode of the user making the request, so that the stack actions are limited by the usercode privileges.
A user can be identified for access to the system in one of two user categories:
-
Anonymous user
-
Authorized user
The access method employed by the user is controlled by the Web Transaction Server configuration.
Anonymous User
An anonymous user accesses the system without providing identification. The anonymous user obtains the privileges of the usercode defined to the Web Transaction Server as the “anonymous usercode.” In almost all cases, the anonymous usercode should be nonprivileged. The resources an anonymous usercode can access are nonsensitive data with a security rating of public.
The default anonymous usercode is (ANONYMOUSWEB), but can be any usercode. Each website can have its own unique anonymous usercode.
Authorized User
To access the system, an authorized user provides an MCP usercode and password that passes the USERDATA authorization. Initially, the Web browser does not send user identification when making a request. If the Web Transaction Server determines that the user should be an authorized user to access the resource, the following actions occur:
-
The Web Transaction Server returns the response “401 - Unauthorized” to the user.
-
The Web browser prompts the operator to enter a username (usercode) and password.
-
When the operator enters the usercode and password, the browser resends the original request with the user identification, called the Authorization header.
In subsequent requests to the same directory of files or application requests, called the realm, the Web browser retains the usercode and password entered by the operator and sends it with each request, so that the operator does not have to reenter it with each request.
The Web Transaction Server checks the validity of the usercode and password on each request by calling the USERDATA procedure and optionally the SECURITYSUPPORT library.
For both anonymous and authorized users, once the Web Transaction Server worker stack has assumed the user usercode, the stack tries to access the resource. If access is allowed, then the request is processed. Otherwise, the request is rejected, usually with the response “404 – Not Found” or “403 – Forbidden”.
Accesscode and Chargecode
The accesscode, accesscode password, and chargecode are supported in Web Transaction Server if HTTP Basic is the authentication method. If a usercode requires an accesscode or chargecode, and it is not supplied in an authorization header, then a “401 – Unauthorized” response is returned.
