Does Guest account have precedence?

[Alan Brooks]

I have one rather large and complex company database. From this one db, I intend on hosting 2 secured sites (meaning user name and password protected using Filemaker's internal security and CWP) and also augmenting another portion of the website with non-sensitive, non protected data.

Obviously, the non-sensitive stuff need not have the user enter a user name and password. Those web visitors should be completely free to view the information represented on those pages unencumbered.

So to this effect, I have created all the user names and passwords for the 2 "secured" sites and I am left only to set privileges for the non secure site. But when I turn on "Guest" access and set it to my user-defined privilege set (which allows only viewing of a VERY NARROW set of fields, viewing of only one layout and no valuelists or scripts and access over only XML and XSLT) the secured portion becomes completely open and no longer does the browser to those sites request a user name and password.

I do nothing but disable the guest account and all returns to normal wherein the browser DOES ask for user name and password for the protected sites.

Am I to take it from this that, if the the GUEST account is active, it takes precedence over the other more restrictive accounts? (MORE INFO: Although I'm not sure I understand the whole "authentication order" thing, I have dragged the GUEST account to the bottom of the list of accounts. It was at the top. And to no avail.)

Is there a way to host password protected data and anonymous access data from the same database? The DEFINE ACCOUNTS & PRIVILEGES seems to indicate so but it doesn't work for me...

Thanks in advance.

Edited January 29, 2007 by Guest

[Steven H. Blackwell]

Custom Web Publishing utilizes Basic HTTP authentication and what you are seeing is a by-product of that. You can create two entirely different Privilege Sets, one restricted and the other not. Set the Guest Account's Privilege Set to be the restricted Account. Set up other passworded Accounts to be members of the broader privilege set. Set both Privilege Sets to access via xml and xslt. This should produce the results you wnat.

HTH

Steven

[Alan Brooks]

Thanks for your reply but I think that this is exactly what I have done...

In the same database, I have a Guest Account and about 2500 passworded accounts. I have created three custom privilege sets. One for the first password site called "Password Read Only A", one for the second site called "Password Read Only B" and one for the Guest account called "Guest Read Only."

The Guest Account's custom privilege set called "Guest Read Only" is set as follows: "Guest Read Only" has only XML and XSLT turned on. In the "Records" setting, view access is applied to only one table and further, only to a limited set of fields in that table. In the "Layout" setting, I have selected the appropriate layout and set it and the records on it ot "view only." Value Lists and Scripts have no access. Unless I am not understanding the Filemaker interface correctly, this is exactly what I want.

My problem is that IF the Guest Account is turned on, the websites that previously asked for passwords DO NOT.

Scenario: I access the passworded sites with Guest access turned off and all is well. The browser asks for a UN and PW. I activate the previously described Guest Account, QUIT the browser to flush the authorization, once again access the password protected sites and BOOM, I'm in without entering a UN and PW. It's like simply turning the Guest account on turns all protection off!

Am I reading your answer incorrectly?

[Alan Brooks]

Hey Steven,

Could you tell me what is different about what you are suggesting and what I have done?? I don't think you read my post very well.

[Alan Brooks]

I have to disagree with the learned Stephen H. Blackwell on this. He did not read my post well and has therefore offered incorrect advise. The problem I was describing has nothing at all to do with a by-product of http authentication.

If the reader would take the time to actually digest what I have written, she would see that I have already done essentially what was suggested. The guest account has VERY restricted access. The password protected accounts have more access. Both are set up for XML access...

Everything acts normally when the guest account is turned off; users have to authenticate their access. But once the guest account with VERY little access is turned on, return visitors (NOT with the same browser session, not even with the same computer - so it is not with a saved or cached authenitcation) are not promted for authentication whatsoever. How can this be attributed to http authentication?

So, since the Old Man has deemed this post beneath further response, and since, further, he has answered it in haste, I would appreciate someone else offering help to not only me but others who might be faced with this problem.

Humble servant indeed...

[Steven H. Blackwell]

My, my, my.

I generally am not able to answer FM Forum questions while on the road at conferences and such. Having been away for over a week at two conferences, I am now returning to answer FM Forum questions.

So, let's give yours another try.

First, contrary to your assertions or beliefs, I did read your initial post carefully especially because it presented a rather unusual situation. I believe I stated that I thought your reported behavior was being caused by the fact that CWP still uses basic http authentication [color:red]and implicit guest access instead of the newer forms based authentication and explicit guest access that IWP uses. This was a change from Server 7 Advanced to Server 8 Advanced.

There are two different avenues you might try to address your problem. The first is to use a server side XSLT file to manage a password. Here is a link to an item on the FMI website that might be useful:

http://transfer.filemaker.com/collection/xslt_password_protected.pdf

A second approach may be to split the data from the UI for the web and have two separate UI files. One would be Guest Access only and thus require no credentials. The other would have NO guest access and thus prompt for credentials.

The following lengthy excerpt is from the Tech Info Files:

When web users use Custom Web Publishing to access a protected database

When using a Custom Web Publishing solution to access a database, web users may be prompted for their account information. If the Guest account for the database is disabled or does not have a privilege set enabled that includes a Custom Web Publishing extended privilege, the Web Publishing Engine uses HTTP Basic Authentication to request authentication from web users. The web user’s browser displays the HTTP Basic Authentication dialog box for the user to enter a user name and password for an account that has a Custom Web Publishing extended privilege.

Here is a summary of what happens when a web user uses a Custom Web Publishing solution to access a database:

1If you have not assigned a password for an account, web users only specify the account name.

1If the Guest account is disabled, then users will be prompted for account name and password when they access the database. The account must have a Custom Web Publishing extended privilege enabled.

1If the Guest account is enabled and has a privilege set enabled that includes a Custom Web Publishing extended privilege, all web users automatically open the database with the access privileges assigned to the Guest account. If the Custom Web Publishing extended privilege is assigned to the Guest account:

1Web users are not prompted for an account name and password when opening a file.

1All web users will automatically log in with the Guest account and assume the Guest account privileges. You can let users change their login accounts from a web browser with the Re-Login script step (for example, to switch from the Guest account to an account with more privileges).

1The default privilege set for Guest accounts provides “read-only” access. You can change the default privileges, including Extended Privileges, for this account. See FileMaker Pro Help.

1Web users generally cannot modify their account password from a web browser. It is possible, however, to build this functionality into your database with the Change Password script step (to enable web users to change their password). See FileMaker Pro Help

Steven