More granular access rights management for the web server

I like the web server idea, but I would like to see more granularity in the access right management, than just a username/password combo against the whole web server itself.

I don’t know if this is scheduled (or not) in a future version, but would it be possible to give control against individual databases, groups, … with usernames and groups?

From what I understand (not using the web server much right now), the server uses HTTP authentication to control access to the server… so theoretically at least you could have file-level granularity. Improvements to the web engine are (IMHO) going to be required when people start clamoring for things like upload and edit support… which already exist to some degree.

But in reality, I think it’s going to be a lot of work. I’m not affiliated and can’t speak for DEVONtechnologies’ priorities, of course, but it implies a lot of coding and interface work just to manage the groups and users, much less the actual security work itself.

We have, of course, plans for this but we will definitely not get it done for 2.0 final :slight_smile:

Thank you for the reply, will you also implement HTTPS?

I like the web server feature and find it very useful, however as it Internet-facing (my usage), I’m a bit concerned about its inherent security - i.e. man-in-the-middle attacks, sniffing et al. that could compromise the security/integrity of the hosted content.

Will you go through the trouble of purchasing a real SSL certificate? There are numerous discussions regarding the security of web transactions with self-signed certificates. None of this is trivial to implement nor to use properly so we’re looking into the options but if you want to be “completely” secure now, use tunneling through ssh or a VPN.

I don’t have a problem with using a self-signed SSL certificate, it’s for limited use in term of people, and I don’t need non-repudiation or 3rd “trust” for example.

I do need to be able to communicate with it through standard HTTP/HTTPS though, as VPNs or SSH are not allowed and/or filtered on many “on site” locations where the content is to be accessed.

At any rate, this could be offered as an optional choice no?