vWrite your own separate authorization and authentication application functions.
In your configuration file, use both the Authorization and the Authentication
directives to specify these functions. Be sure to include HTTPD_authenticate() in
your authorization application function.
When the Authorization step is run, it performs your authorization application
function which, in turn, calls your authentication application function.
vWrite your own authorization application function but have it call the default
server authentication. In your configuration file, use the Authorization directive
to specify your function. In this case, you will not need the Authenticate
directive. Be sure to include HTTPD_authenticate() in your authorization
application function.
When the Authorization step is run, it performs your authorization application
function which, in turn, calls the default server authentication.
vWrite your own authorization application function and include all your
authentication processing right into it. Do not use HTTPD_authenticate() in your
authorization application function. In your configuration file, use the
Authorization directive to specify your function. In this case, you will not need
the Authentication directive.
When the Authentication step is run, it performs your authorization application
function and any authentication it included.
If your Server API application does not provide its own authorization process,
you can still provide customized authentication.
If your Server API application does not provide its own authorization process, you
can still provide customized authentication. To do this, write your own
authentication application function. In your configuration file, use the
Authentication directives to specify your function. In this case, you do not need
the Authorization directive.
Notes:
1. If you do not have any Authorization directives in your configuration file, or
their specified application functions decline to handle the request, the servers
default authorization will occur.
2. If you do have Authorization directives in your configuration file and their
application functions include HTTPD_authenticate(), the server calls any
authentication functions specified in the Authentication directives. If you do not
have any Authentication directives defined, or their specified application
functions decline to handle the request, the servers default authentication will
occur.
3. If you do have Authorization directives in your configuration file but their
application functions do not include HTTPD_authenticate(), no authentication
functions will be called by the server. Youmust code your own authentication
processing as part of your authorization application functions or make your
own calls to other authentication modules.
4. The IBM HTTP Server automatically generates the challenge (by prompting the
browser to return user ID and password) if you return 401 or 407 from your
authorization exit. However, you must still configure a protection setup so that
this will occur correctly.
Environment variables
You can use environment variables in the predefined functions HTTPD_extract()
and HTTPD_set(). They represent values you can extract from a client request or
Chapter7. Writing Server API programs 123