User Authentication htpasswd plugin

The htpasswd plugin uses an encrypted password file to authenticate a user and to determine whether the user is a member of any group that is permitted to access a particular resource.

As with any plugin, you must update the c8-server.conf configuration file to specify information about the plugin. Below is an excerpt from the default c8-server.conf file, which shows the preferences used by the htpasswd plugin, which has the 4 standard preferences (LibraryName, InitializeFunction, AuthenticateFunction, and ShutdownFunction) and 2 custom preferences (PasswordFilePath and GroupFilePath).

<section name="Plugin">
  <preference name="LibraryName" 
     value="c8_server_plugins_lib"/>
  <preference name="InitializeFunction"  
     value="c8_auth_plugin_htpasswd_initialize"/>
  <preference name="AuthenticateFunction"  
     value="c8_auth_plugin_htpasswd_authenticate"/>
  <preference name="ShutdownFunction"  
     value="c8_auth_plugin_htpasswd_shutdown"/>
  <preference name="PasswordFilePath"  
     value="C:\Program Files\SybaseC8\Server/conf/htpasswd.txt"/>
  <preference name="GroupFilePath"  
     value="C:\Program Files\SybaseC8\Server/conf/htgroup.txt"/>
</section>

The initialize and shutdown functions perform just as described in Plugins.

The AuthenticateFunction corresponds to the execute() function described in Plugins; this function is called each time a user gives her username and password in order to access a resource, such as a stream.

This custom entry PasswordFilePath contains pairs of usernames and passwords that the plugin uses to determine whether a user is who he or she claims to be.

Finally, the custom entry GroupFilePath lists the groups that each user is in. This is used when the ACL file permits or denies privileges to particular groups.

For example, suppose that you have multiple people who are system administrators, and we want to create a group named "SysAdmins" and allow any member of that group to create or destroy workspaces. To do this, perform the following actions:

In the ACL file (named c8-acl.xml by default), enter information similar to the following:

<!-- Permit members of the group "sysadmin" to 
     create and destroy workspaces -->
	<Rule RuleId="SysadminWorkspaceRul1" Effect="Permit">
  <Target>
   <Subjects>
     <!-- Any member of the "SysAdmin" group. -->
     <Group>SysAdmins</Group>
   </Subjects>
   <Resources>
     <!-- any workspace name.  (".*" is a regular 
          expression that indicates any sequence of 
           characters -- in other words, any name.)
     -->
     <Workspace>.*</Workspace>
   </Resources>
   <Actions>
     <CreateDestroy/>
     <GetStatus/>
   </Actions>
  </Target>
	</Rule>

Group names, host names, and user names are not case-sensitive. Values may be regular expressions. In the example above, the "." represents any character, and the "*" is a repeat indicator which indicates that there may be any number of these characters.

In the groups file (we specified htgroup.txt in the GroupFilePath preference in the c8-server.conf file), enter at least the following:
```
SysAdmins:jsmith
```
You can specify more than one member of a group, using the comma as a separator, for example:
```
SysAdmins:jsmith,pjones,andrews
```
Add an entry to the htpasswd.txt file which is specified in the PasswordFilePath preference of the c8-server.conf file. The password in this file must be encrypted using md5 format. Use apache's 'htpasswd -m' command to create htpasswd records. For example:
```
# Create a new htpasswd.txt file with a user named "root" 
	# whose password is "carrot".  
	htpasswd -bcm ./htpasswd.txt root carrot
	# Add user jsmith with password "taro9" to the htpasswd.txt file.
	htpasswd -bm ./htpasswd.txt jsmith taro9
```
Note that the htgroup.txtfile is a "plain text" file; no part of it is encrypted.
When a user attempts to create a new workspace, the following will happen:
- The user starts Studio and attempts to add a new workspace.
- The user enters the appropriate username and password when prompted.
- The server will then see the server configuration file that specifies the htpasswd plugin, and calls the function specified in the AuthenticateFunction. The server then passes the ID and password the user has entered.
- The plugin first encrypts the password and then looks in the htpasswd.txt file to determine whether the encrypted password matches the password in the file. The plugin then returns a value indicating thatthat the user has been authenticated.
- The server then retrieves the ACL file and sees that, although there is no rule explicitly permitting the user to create a workspace, the group "SysAdmins" is permitted to create a workspace.
- The server then looks in the htgroup.txt file and sees that the user is a member of the group "SysAdmins".
- The server then allows the authenticated user to create a new workspace.