Filter
Top Products
Fortinet 221 FortiWeb 5.0 Patch 6 Administration Guide
Users
On FortiWeb, user accounts do not log in to the administrative web UI.
Instead, they are used to add HTTP-based authentication and authorize each request from
clients t
hat are connecting through FortiWeb to your protected web servers.
Best practices dictate that each person accessing your web sites should have his or her own
accoun
t so that security audits can reliably associate a login event with a specific person.
Accounts should be restricted to URLs for which they are authorized. Authorization may be
derived from a person’s role in the organization.
For example, a CFO would reasonably have access to all financial data, but a manufacturing
technic
ian usually should not. Such segregation of duties in financial regulation schemes often
translates to role-based access control (RBAC) in information systems, which you can
implement through FortiWeb’s HTTP authentication and authorization rules.
For instructions, see “Offloading HTTP authentication & authorization” on page 225.
See also
• Aut
hen
tication styles
• Offloading HTTP authentication & authorization
• Example: Enforcing complex passwords
Authentication styles
Multiple different methods exist for end-users to authenticate with web sites. These methods
have different appearances and features.
Via the “Authorization:” header in the HTTP/HTTPS protocol
The HTTP/HTTPS protocol itself (RFC 2965) supports simple authentication via the
Authorization: and WWW-Authenticate: fie
lds in HTTP headers.
When a web site requires authentication in order to authorize access to a URL, it replies with an
HTTP 401 Authorization Required r
esponse. This elicits a prompt from the web browser.
User authentication is not supported in all operation modes. See “Supported features in each
operation mode” on page 62.