W3-mSQL achieves this by providing a complete programming
language embedded within an HTML document. The language, called Lite, is
similar is style and syntax to the C programming language and the ESL scripting
language. Using W3-mSQL and the embedded Lite language, you can generate
HTML code "on-the-fly" in the same way you do when you write custom CGI
programs. What's more, you can mix normal HTML code with W3-mSQL code so
that you only need to use the CGI styled approach where you actually have
<TITLE>Hello World from W3-mSQL</TITLE>
<H1>Introduction to W3-mSQL<H1>
<! echo("Hello World\n"); >
There can be any number of W3-mSQL tags within a single page and there can be any number of lines of code within a single W3-mSQL tag.
To execute the script depicted in figure do not specify
the path to the file in the URL as you would normally do as your browser
will just be sent the unprocessed HTML document. To execute the script
you must specify a URL that executes the W3-mSQL binary and tells it to
load and process your script. The W3-mSQL binary is called w3-msql and
will usually be located in the /cgi-bin directory (if it isn't there contact
your system administrator). If the normal URL of a W3-mSQL enhaced web
page is /staff/lookup.html, you would load it using the following URL:
When an HTML form is defined, a field name is given to each of the elements of the form. This allows the CGI to determine what the data values being submitted actually mean. When the data is passed to W3-mSQL, the field names are used as the variable names for the global variables. Once a set of variables has been created for each form element, the values being passed to the script are assigned to the variables. This is done automatically during start-up of the W3-mSQL program.
As an example, imagine that the following form was defined
in an HTML page.
<INPUT NAME=username SIZE=20>
<INPUT NAME=password SIZE=20 TYPE=PASSWORD>
<OPTION VALUE="casual">Casual User
<OPTION VALUE="staff">Staff Account
<OPTION VALUE="guest">Temporary Guest Account
When building "real" applications with a scheme such as W3-mSQL, other security related issues become apparent. Because the actual program code is embedded in the HTML code anyone wishing to obtain a copy of your source code would just need to access the W3-mSQL enhanced web page directly rather than accessing it via the W3-mSQL CGI program. If a user did this, the source code would not be processed and would appear in the HTML sent to the browser. If a user saved the source of the page from their browser they would have a full copy of your source code on their machine. Naturally, this is a major problem for people who write proprietary applications.
To overcome this problem, W3-mSQL provides two features,
private scripts and pre-compiled libraries. Your web server may also provide
a feature that can overcome this problem. All three options are discussed
A problem associated with embedding your source code in an HTML document is that by pure definition an HTML document is a public document (available to anyone via your web server). The software we write with W3-mSQL is safe as long as the user only accesses it via the W3-mSQL CGI program (because it will be processed and removed from the HTML source before it is sent to the browser). So the problem is not that the source code is in the HTML file, it is that a user may access the HTML file directly by specifying the URL and bypass the W3-mSQL CGI program.
The obvious solution to this problem would be if the HTML file was not available directly from the web server. If that was the case the user couldn't specify the URL directly and as such could not download your source code. But, how is this possible if the W3-mSQL expects to find the enhanced HTML file in the web document space? The solution is to install your enhanced web pages as private scripts.
A private script is an HTML file that is installed outside the web document tree (i.e. it is not directly available through your web server). When a page is requested via W3-mSQL, it looks for the file based on the URL specified. For example, if you requested the page /cgi-bin/w3-msql/test/myfile.html, W3-mSQL would try to load and process WEB_ROOT/test/myfile.html where WEB_ROOT is the directory in which you install web pages (such as /usr/local/etc/htdocs or similar). If it finds the file at that location is will load and process it. If it doesn't find the file at that location, W3-mSQL assumes it must be a private script.
When W3-mSQL determines that the request references a private script (i.e. it didn't find the page in the web tree) it looks in an external directory for the page. The default location for private scripts is /usr/local/Hughes/www. In the example above, W3-mSQL will try to load /usr/local/Hughes/www/test/myfile.html and process it. In short, it will use the private script directory as a second web document tree. You web server does not know that documents are stored in that directory so it is not able to send them without the help of W3-mSQL.
In the above example, if someone tried to load /test/myfile.html
directly, the web server would report an error because the file does not
exist in the web tree. If the user then requested it using the W3-mSQL
CGI program, a check for the file in the web tree would fail so the file
installed in the private script directory would be loaded, processed and
sent back to the user. This eliminates the possibility of a user directly
accessing your file and downloading your source code.
Lite libraries are pre-compiled versions of Lite functions that are loaded into Lite scripts and W3-mSQL enhanced web pages at run-time. See the Lite section of this manual for a complete description of Lite libraries.
From a security point of view, libraries can be used to hide your Lite source code from a user. A library is a binary version of the Lite code in the same way that an object file is a binary version of C code after it has been compiled. If all of your "sensitive" functions are placed in a library then they are totally hidden from the remote users (the binary file will be of no use to anyone as you cannot reverse the process and turn the library back into source code).
Using libraries in this way also increases the performance
of your W3-mSQL applications because the source code does not need to be
compiled every time the page is requested (it is compiled once and the
binary version is then loaded directly into the Lite Virtual Machine when
needed). Please see the section of the Lite documentation covering libraries
for further information.
HTTP Server Support
Some HTTP servers provide a mechanism via which you can
map a file extension to a specific action (Apache is an example of such
a web server). If your web server provides this feature you can configure
it to force the processing of your W3-mSQL enhanced files automatically.
For example, let us assume that all your enhanced web pages are stored in files with a suffix of .msql (e.g. /test/myfile.msql). You could then configure your web server to process any request for a file ending in .msql through the W3-mSQL CGI program. The web server will ensure that no user can access your enhanced HTML document without it being processed by the W3-mSQL CGI program. Configuring your web server to do this is specific to the web server you are using. For users of the Apache web server, please see the "Using W3-mSQL with Apache" document in the library section of the Hughes Technologies web site at http://www.Hughes.com.au
To overcome these problems, the W3-mSQL package includes
an authentication facility. This facility utilises the HTTP authorisation
protocol to determine the user?s username and password (via the familiar
pop-up username box in most web browser packages). When enabled, W3-mSQL
will automatically check the username and password of any user accessing
a page that is generated by W3-mSQL. W3-Auth does not use files on the
web server machine nor does it require utilities to be run from the UNIX
prompt. All configuration of W3-Auth based access control is performed
via a web interface with the data stored in an mSQL database.
The usual (and expected) method for passing this information to CGI programs is via a UNIX environment variable. In general, the web server will create a variable of a pre-defined name containing this information before calling the CGI program. Unfortunately, some web server developers have viewed the passing of authorisation information as a potential security problem. The grounding for this view is that a malicious user could install a rogue program on the server and capture people?s passwords. We do not view this as a problem due to the implied security of a UNIX server. If a user can overwrite a valid CGI program with a rogue "trojan horse" then the general security of the server machine is not acceptable. In simple terms, it is similar to saying that keeping a spare set of keys at home is a security risk because if someone breaks into your home they could take a key. Naturally, if they have already broken into your home they didn?t need a key and other areas of your security need to be improved.
Web servers that are known not to provide this information
are those based on the NCSA http server code (most notably the popular
Apache web server). To aid in determining whether or not a server provides
this information, we have written a simple test program. The program is
available from the software section of the Hughes Technologies web site
(http://www.Hughes.com.au). To overcome this limitation in the Apache server,
we also provide a software patch for Apache on our server. The patch and
a complete distribution of Apache that has already been patched can be
found in the software section of our web site.
By using multiple namespaces, each client can have a user called
?fred? and they will be viewed as separate people. It is common to define
a namespace for each client or for each W3-mSQL based application on your
server (allowing people to have different passwords for different applications).
Area An area is a segment of your web document tree that you wish to secure. An area is defined in terms of the URL used to access the pages. For example, if an application called Trident was developed and installed as "http://your.web.server/trident/" a secure area could be defined covering the /trident section of the web tree. Any URL that includes /trident as a prefix will be included in the area.
Secure areas can be nested to provide greater control. If, for example,
the Trident application contained sections for viewing data and also for
editing data, access to the editing features could be restricted using
a nested area. If all the pages associated with editing the database are
located in the "/trident/edit" directory, then a second area could be defined
to cover /trident/edit. When a URL is requested, the longest defined prefix
that matches the URL indicates the area (i.e. /trident/edit is longer than
During the execution of the script several tables will be created in a new database called w3-msql. It will also setup a "super user" for the initial configuration of the W3-mSQL access control. You will be prompted for user details of this newly created super user.
Once the database has been created, the configuration
process of W3-Auth can begin. To start the configuration, simply load the
following URL in your web browser
Step one is to create a new SuperUser. This SuperUser will not have complete control of the W3-Auth system. We will create a SuperUser with limited power who will be responsible for the addition and deletion of users from the new namespace (bill in our example). To create the new SuperUser, enter the SuperUser namespace management area by selecting the SuperUser namespace from the main menu. You will be presented with the SuperUser Management menu depicted below. By selecting the User Management option from the menu you will be presented with a list of the currently defined users in the namespace (only bambi at this time). Select the Add option and then click Execute to add a new user. You will be prompted for the new user?s details (for bill in this case). Enter the details and click Execute to create the new user.
Step two is to create the new namespace. To do this we
again enter the SuperUser namespace from the main menu. From the menu select
the "Namespace Management" option. The browser will now show you a list
of currently defined namespaces (just the SuperUser namespace in this case).
To create a new namespace, select "Add" and then click the "Execute" button.
You will be prompted for the name of the new namespace, a description,
and a list of namespace administrators. In our example, the name of the
namespace is "Trident", a description could be "Hughes Tech. Trident System"
and the administrator would be "bill".
Now that the new namespace has been defined we must define what privileges our administrator, bill, has over the namespace. To do this, enter the SuperUser namespace menu, choose "Privilege Management", and then choose to edit bill?s privileges. At this time you will be presented with a list of namespaces of which bill is an administrator (only "trident" in our example). Select trident from the list to edit the privileges bill has for that namespace. You will see that bill currently has no privileges in the trident namespace. You can enable individual privileges by selecting the check-box associated with the privilege.
In our example, we want bill to be able to manage users
and user groups within the trident namespace. To achieve our goal, select
"User Management" and "Group Member Management" from the list. Your screen
should look like the screen shot below. Bill could now run the w3-auth
program and add users to the Trident namespace.
We have stated that bill can manage the users of the trident
namespace but that is all. There are other operations that need to be performed
on the namespace that bill is not allowed to do (such as defining a secure
area). As bambi is the system administrator, it is up to him to perform
these tasks. Currently, bambi has no privileges for the trident namespace.
To enable them, use the Namespace Management option from the SuperUser
menu to edit the definition of the trident namespace and add bambi as a
Once that is complete, use the Privilege Management option to edit bambi?s privileges for the trident namespace and enable all privileges. Now that bambi has permission to modify the trident namespace, return to the main menu and enter the trident namespace (it will now be visible to bambi as he is listed as an administrator).
The Authentication Management menu shown on the next page will be displayed in your browser. Before we can proceed much further we must define a couple of user groups. User groups are used in the definition of the access control to define which users defined in the namespace have access to the secure area.
In our example we want to define two groups, a general user group and an admin group. To do this select the Group Management option and add a group called "users" with bill as the administrator. Repeat the process and create another group called "admin" also with bill as the administrator. Even though bill was given group member management privileges, he can only manage group members in groups for which he is defined as an administrator.
Once the groups are created we can define the secure area for our W3-mSQL based application. Our application offers two classes of access. Primarily, the application allows a general user to query the data contained in the database. Secondly, it offers a set of pages that allow the database to be modified. The main application is installed in a directory called /trident in our web document tree (i.e. http://your.host/trident) while the administrative pages are located in /trident/admin. We wish to view these as separate areas in terms of access control even though they are part of the same application. A general user will be allowed to access the query pages but only a restricted set of users will be allowed to access the administrative pages.
To tighten the security even further, we have decided to incorporate host based access control as well. Access to the administrative pages should only be granted if the access request comes from a machine in our domain (Hughes.com.au) regardless of the identity of the user attempting the access.
Now that we have decided the access control policy for our application, implementing it is as easy as clicking the mouse a few times. To start the process we must enter the trident namespace from the main menu and select Area Management from the Authentication Management menu. The area management facility provides the same familiar interface as the other management options. To create the new area we simply select the Add option and click Execute. We will be prompted for an area name, an area URL and some access control options. For this example we will create the general access area first and give it a name of "Trident User". The URL field requires only the path element of the URL, not the entire URL. In this case we would specify /trident as the URL.
The next step is to add the access control elements to the area definition. The area definition screen is shown below. The form shown on the screen allows us to specify up to five elements to the access control list for the area. By default, each element is flagged as being Inactive. To enable an element, simply change the Index value from Inactive to the numeric value on the menu. You should define access control elements from the top of the list without leaving any inactive elements between active elements so simply activate the first element for this example.
For our example we want to allow access to the area to anyone in the "users" group. Unlike the admin area, we are not going to place any restriction on the originating host of the connection. To achieve this configuration we simply select the "users" group from the group menu and set the host field to * (indicating any host). The complete form is shown below.
The access control field of the element can contain either a hostname based expression or an IP address based expression (including a wildcard in either form of expression). To restrict access to only machines in the Hughes.com.au domain (as decided was the policy for the admin section), we would set the value of the Access Control field to *.Hughes.com.au. Similarly, if we wished to restrict access to machines on a particular IP subnet, we could use something like 192.168.1.*
In a similar manner, we could allow access to any person if they are coming from a specified location. To do this, simply leave the Access Group as "** Public **" and set the Access Control to the correct hostname of IP address expression. In such a configuration, the user will only be prompted for a username and password if they attempt to access the pages from a machine not matching the Access Control expression. If we activate no other Access Control elements, the user would always be rejected as no user groups were specified in the Access Control Elements.
By using a combination of access control elements we can achieve very fine-grained control over who accesses the pages. If, for example, there was a group of people at a remote location that required access to the pages from their company network (foo.com), you could define a new group called remote and activate a second access control element with an access group of remote and an access control of *.foo.com. Such a configuration would allow access if the connection attempt matched either of the entries.
Once the Trident User area has been created the process should be repeated for the Trident Admin area. For the admin area, we would define the URL as /trident/admin and set a single Access Control element setting the Access Group to "admin" and the Access Control to *.Hughes.om.au.
The only remaining task is the creation of the actual users: "fred" and "john" in our example. The responsibility for user management was assigned to "bill" and his privileges were set so that he could create users and also add users to groups (group member management). Bill can now complete the job by accessing the W3-Auth program, entering the trident namespace, and using the User Management and Group Member Management menu options. If either of the new users is allowed to access the admin features of our application then they should be added to the "admin" group as well as the normal "users" group. Simply adding them to the admin group will provide them access to the admin pages.
A final note to remember about W3-Auth access control is that access control must be enabled on a per directory basis. To enable access control you must create a file called ".w3-auth" in every directory within the area that is to be protected. The reason for this requirement is to boost performance. W3-mSQL simply checks for the file while it is loading the requested page. If the file exists, it then starts querying the database for W3-Auth configuration details and trying to match the requested URL with an area definition. If the directory is not being covered by W3-Auth this is a waste of valuable time.