The paradigm for the Internet is that of a client-server relationship where Internet clients communicate with Internet servers. In a client-server relationship, a client (e.g. a web browser) communicates with a web server via a communications network, such as the Internet or a private Intranet. The web browser communicates with the web server using the Transmission Control Protocol/Internet Protocol (TCP/IP). For the majority of Internet communications a web browser communicates with a web server using the generic Hyper-Text Transfer Protocol (HTTP) which is transmitted between the web browser and the web server over the TCP/IP link between the web browser and the web server. HTTP transactions are short-lived. A TCP connection is established for each client request. The serer does not maintain any state information about clients. The actual data transferred between the web browser and the web server are HTTP data objects (e.g. Hyper-Text Markup Language (HTML) data). Oftentimes, a web server in an Intranet will serve the dual role of a proxy server and route requests from Intranet web browsers to Internet web servers.
Standard web content consists of static HTML pages. It is sometimes desirable to provide a client with dynamically created customized HTML pages. For example, it may be desirable to execute a program on a web server that searches a database, formats the search results, and transmits the search results to the client for display to the user. A mechanism for doing this and other interactive functions is called Common Gateway Interface (CGI). CGI is a standard that allows clients to interface with various applications via web servers. A web server processes a client CGI request using a CGI script or application. For example, when a database is queried by a client, the web server acts as a gateway between the database and the client. The web server transmits the client request to a CGI application that performs the database query, formats the results and returns HTML-formatted data to the web server. The web server then transmits the HTMLformatted data to the client for display to the user.
CGI applications which perform sensitive or commercial tasks are typically stored within a secure directory tree of a web server and access to the directory tree is controlled for security reasons. Typically, CGI access control is not performed at the CGI level, but rather, uses standard HTTP-layer authentication, which is implemented in a non-standard, web server-specific and operating system-specific fashion. HTTP-layer authentication typically requires HTTP challenge/response requests between a client and web server for any file in a secured directory tree on the web server. Challenge/response typically requires a user name and password from the client which is then validated by a web server specific or operating system specific security mechanism to provide user level access control to CGI applications at the HTTP layer. Because the location of directory trees and their security configurations can vary from server to server, Web server administrators using CGI applications need to be familiar with the administration of each type of web server hosting a CGI application. In a heterogeneous computing environment, which is common in both small and large enterprises, this is difficult because web server administration and security mechanisms typically vary from server to server and from operating system to operating system.
Nonuniform web server administration and security also pose a problem to developers of CGI applications such as web based user interfaces and management tools which target different brands of web servers on one or more operating systems. Such software typically has its own product security mechanism for user level access control. obtaining user name and password information by a CGI application from a web server which acquired it via HTTP challenge/response is server specific and typically involves writing additional software which is loaded by the web server and must communicate with the CGI. Application programming interfaces (APIs) are provided by web servers for this and other purposes.
Examples of APIs include ICAPI for the IBM Internet Connection server, NSAPI for the Netscape Suitespot web server, and ISAPI for the Microsoft Internet Information Server. Server API programming is not viable for CGI application providers wishing to be usable by any web server on any operating system.
Nontrivial CGI software is typically a collection of CGI applications. User level access security for multiple CGIs using HTTP authentication is achieved by placing all the CGIs in a common file directory, and the web server configuration is modified to make this directory secure. When HTTP authentication is not used, each CGI must have its own security mechanism to obtain and validate usernames and passwords when user level access control is desired. Client authentication is required for each CGI request.