Chapter 7. Program-Based Authentication

Table of Contents
7.1. Connect
7.2. Authenticate
7.3. Disconnect
7.4. Cookies, ConnectionTags, and SessionIDs
7.5. Example Response

One of the most powerful features in Typhoon, Twister, and Tornado Back End is program-based authentication. Using this feature you can have enterprise-wide control over server access, capacity, and usage patterns. In addition, you can leverage whatever existing authentication resources you already have in-place. Since the authentication program is external, it can maintain database connections, use time-of-day, system load, or any other data at its disposal to dynamically, allow, deny, or implement different policies of access and authentication at any time.

Program-based authentication enables dynamic control over who can connect, whether they must authenticate, and allows you to on-the-fly override, on a per-user basis, many of the directives in your feeds.conf file.

On startup, for every AuthenticationProgram directive found in the feeds.conf, The server will start the named program and attach to its "stdin" and "stdout". Feed objects that have the same value of the AuthenticationProgram directive will share the same instance of the program. That is, Typhoon, Twister, and Tornado Back End will start ONE of every unique value found in the AuthenticationProgram fields of the feeds.conf file.

Typhoon, Twister, and Tornado Back End communicate with the authentication program by writing data to its "stdin" and reading data from its "stdout". The server sends all data in "Field: value\r\n" format. This data is terminated by ".\r\n" on a line by itself.

The authentication program is responsible for responding to 3 types of requests:

7.1. Connect

For example, when the host "browser.company.com" connects, the following will be sent to the authentication program:

	Action: connect\r\n
	Version: server-version-string
	Interface: 10.0.0.3\r\n
	Cookie: empty\r\n
	ConnectionTag: -\r\n
	Hostname: browser.company.com\r\n
	IPAddress: 10.0.0.1\r\n
	SessionID: session\r\n
	IncomingFeedName: value\r\n
	Subscription: value\r\n
	FilterSubscription: value\r\n
	AllowReading: value\r\n
	AllowFeeding: value\r\n
	AllowPosting: value\r\n
	AllowNewNews: value\r\n
	SendXrefInOverviews: value\r\n
	WelcomeMessage: value\r\n
	XComplaintsTo: value\r\n
	Organization: value\r\n
	ForceOrganization: value\r\n
	TimeOut: value\r\n
	HostConnectionLimit: value\r\n
	MaxIncomingNumberOfStreams: value\r\n
	.\r\n

The string value will be replaced by the appropriate value from the appropriate feed object.

Typhoon, Twister, and Tornado Back End expect one of three 5 byte responses to this request followed by optional "Field: value\r\n" lines that may be used to override the values provided by the feed object. Finally, the response should be terminated by the 3 byte response ".\r\n"

  • 200\r\n - Allows the host to connect without authentication.

  • 480\r\n - Allows the host to connect but REQUIRES that the host authenticate with a username/password.

  • 502\r\n - Does NOT allow the host to connect.

In response to the connect action, you can override Cookie, ConnectionTag, AllowFeeding, AllowReading, AllowPosting, AllowNewNews, SendXrefInOverviews, WelcomeMessage, XComplaintsTo, Organization, ForceOrganization, Timeout, Subscription, and FilterSubscription in the response. The WelcomeMessage can be overridden for any of the responses.