The web authentication can be classified into 3 categories:

 

 

The directory specified by the key HttpSysDir in app.ini, can be accessed by administrator only. The default directory is "sys" which runs system configuration web.

 

 

[System] HttpDir=/flash/www HttpSysDir=sys HttpAppDir=demo User=admin Password= PasswordAlt=

 

The user and password must match the ones in [System] section. The key PasswordAlt, if set, can be used as an alternative password for administrator during web login. It is used by HTTP server only, and it will not work in FTP, Telnet or other system services.

 

 

 

The directory specified by the key HttpAppDir in app.ini, can be accessed by application controlled accounts. The HTTP server asks for authentication from users, instead of validating it, the server passes authentication data to applications through environment variables "REMOTE_USER" and "REMOTE_PASSWORD". With this authentication information, cgi programs can setup the privilege level for each individual user.

 

 

In cgi, the following codes can retrieve the value of user information:

 

char *user=getenv("REMOTE_USER");

char *pwd=getenv("REMOTE_PASSWORD");

 

Since HTTP server does not block any file access, critical data, for example, user-password files should not be put under /flash/www directory. Instead, they should be saved in other directories which can not be accessed from web (e.g. /flash/data). Thus critical data can be protected and accessed indirectly through cgi programs only.

 

 

 

All other directories are public accessible. No authentication will be requested.