Realms provide a much greater level of security than Allow/Deny. Using realms you can restrict access to a single document or a group of documents, requiring a password and username. A realm is defined as a string of characters that will be matched against client-requested files. For instance, if a realm's match string is "admin", all files containing the characters "admin" are considered to be in the realm. Any client that attempts to access a file in the realm will be prompted for a username and password.

The Configure Realms Dialog

Providing security using realms is a two step process: first define the realm, then add the usernames and passwords associated with the realm. To define the realm, choose "Configure Server..." from the Control menu. Select the "Realms" icon. Quid Pro Quo will display the list of currently existing realms. When Quid Pro Quo is first installed, there are no realms defined. To add a realm, click on the "New" button. A dialog box appears, prompting you to enter a name for the realm, and a match string. The match string is the sequence of characters that Quid Pro Quo will attempt to match against client file requests. The realm name is used to associate the realm with its usernames and passwords. For example, suppose you want to limit access to certain administrative files. Create a new realm, and give it the name "Administrator" (this name is arbitrary, you could name it anything you like). For the match string, enter "admin". Now every file with the characters "admin" in its URL will be considered part of the Administration realm. The URLs

http://www.yoursite.com/administrate.html

and

http://www.yoursite.com/adminfiles/default.html

are both in the Administration realm.

Now you must add a password and username for this realm. In the configure dialog, select the "Passwords" icon. A list of usernames and realms will appear. Click on the "New" button to add a password. As with the realm, this brings up a dialog box. Enter the username and password in the given text fields, and choose the name of the realm (in this example, "Administration") from the pop-up menu. Now any client accesses to URLs containing "admin" will be required to have the username and password you specified. All others will receive the file that you have specified as your "Permission Denied" file in the Default Files panel of the configure dialog.

Security Considerations

Quid Pro Quo implements version 1.0 of the HTTP protocol (the current version). This version of the protocol offers very limited security. The protocol has the basic username/password scheme on which realms are built. This does a good job of keeping unwanted visitors from accessing your private documents, but does not protect them during transmission. Files transmitted between Quid Pro Quo and the client browser are sent in plaintext form. This allows an attacker situated between the client and server to intercept sensitive documents, even without password access to your secure realm.


Send questions and comments to me, Chris Hawk

Welcome | Contents | Glossary