Before discussing how to define directory authentication, let us review the following point
Token-Based Authentication must be configured on each desired platform (i.e., HTTP Large, HTTP Small, and ADN).
The set of content that requires authentication needs to be identified. One way of accomplishing this is to specify the location(s) for which Token-Based Authentication will be applied. The Directories to Authenticate section allows you to define one or more locations using a relative path to the desired folder. The starting point for this relative path, which varies by URL type, is defined below:
URL Type | Relative Path (Starting Point) |
---|---|
CDN URL |
Specify a relative path that starts directly after the account number segment of the content access pointThis URL segment of a CDN URL identifies where the request should be directed. This relative path starts directly after the CDN hostname. The proper syntax for a content access point is "/yyAN," where "yy" stands for the origin identifier and "AN" stands for a customer account number. A content access point for a customer origin also includes a directory that identifies it. (e.g., /000001, /200001, or /800001). Sample URL: http://wpc.0001.edgecastcdn.net/800001/customerorigin/videos/fly.html Gray font indicates the URL segments that should be excluded when securing a location. Any of the configurations listed below will secure the above sample request:
|
Edge CNAME URL |
Specify a relative path that starts directly after the hostname. Sample URL: http://www.domain.com/presentations/sales/businessplan.ppt Gray font indicates the URL segments that should be excluded when securing a location. Any of the configurations listed below will require authentication for the above sample request:
|
Edge CNAME URL |
Specify a relative path that starts with the name of the customer origin configuration referenced by the edge CNAME URL. The starting point for the relative path that should be secured is defined in the CDN URL equivalent of an edge CNAME URL. Sample edge CNAME URL: http://www.domain.com/Photos/Store.jpg Our edge servers will re-write the edge CNAME URL requested by the client (above) with the following CDN URL: http://wpc.0001.edgecastcdn.net/800001/customerorigin/Photos/Store.jpg Gray font indicates the URL segments that should be excluded when securing a location. Any of the configurations listed below will require authentication for the above sample request:
|
Key information:
Require authentication for all CDN content by defining the following relative path under the Directories to Authenticate section:
Require authentication for all content from a specific customer origin server through the following configuration:
Require authentication for all content from a specific folder on a specific customer origin server through the following configuration:
Although an edge CNAME URL does not include the name of a customer origin server and may not include the path to the desired folder, it will be treated as if the corresponding CDN URL had been used. As a result, when defining such a location make sure to specify the name of the customer origin server followed by the relative path to the desired folder (e.g., /MyCustomerOrigin/Marketing/Presentations).
Token-Based Authentication is applied recursively to each folder specified in the Directories to Authenticate section. This means that all content residing in the specified folder or its subfolders will require authentication.
Token-Based Authentication is platform-specific which means that content may potentially be downloaded by using a URL for a different platform (e.g., HTTP Large instead of HTTP Small). Avoid this scenario by replicating your Token-Based Authentication configuration across all platforms.
Due to the recursive nature of directory authentication, apply Token-Based Authentication to all content
To apply Token-Based Authentication across an entire platform
It may take up to an hour for the creation, modification, or deletion of an authentication directory to take effect.
To add an authentication directory
To modify an authentication directory
To delete an authentication directory
Although this section contains sample URLs that point to the HTTP Large platform, the analysis provided below also applies to the HTTP Small and the ADN platforms.
The following sample scenarios assume that the following directory has been defined under the Directories to Authenticate section:
This scenario is based on the following request:
Request Properties | Value |
---|---|
URL Type |
CDN URL |
Origin Type |
CDN Storage |
URL |
http://wpc.0001.edgecastcdn.net/000001/Secure/index.html |
The above request points to content stored in a folder to which Token-Based Authentication has been applied. Therefore, a token is required. Since a token was not specified for this request, the asset will not be served to the client.
This scenario is based on the following request:
Request Properties | Value |
---|---|
URL Type |
CDN URL |
Origin Type |
CDN Storage |
URL |
http://wpc.0001.edgecastcdn.net/000001/Secure/Data/index.html?c1019f8a6942b46a1ce679e66cd579767 |
The above request points to content stored in a subfolder of a folder to which Token-Based Authentication has been applied. Therefore, a token is required. The requested asset will be delivered to the client provided that both of the following conditions are met:
This scenario is based on the following request:
Request Properties | Value |
---|---|
URL Type |
CDN URL |
Origin Type |
Customer Origin |
URL |
http://wpc. 0001.edgecastcdn.net/800001/MyServer/Secure/index.html |
The above request points to a customer origin configuration called "MyServer." The requested asset is unprotected, since its relative path starts with "/MyServer" instead of with "/Secure." As a result, it will be served to the client.
This scenario is based on the following request:
Request Properties | Value |
---|---|
URL Type |
Edge CNAME URL |
Origin Type |
Customer Origin |
URL |
http://secure.server.com/Secure/index.html?c1019f8a6942b46a1ce679e66cd579767 The hostname "secure.server.com" leverages an edge CNAME configuration that points to: wpc.0001.edgecastcdn.net/800001/MyServer
|
The above request leverages an edge CNAME that points to a customer origin configuration called "MyServer" and a folder called "Secure." Although the edge CNAME URL points to the "Secure" folder, the relative path for this type of URL (i.e., edge CNAME URL that points to a customer origin server) starts with the customer origin name (i.e., /MyServer). As a result, the unprotected asset will be served to the client.
We have just examined how several URLs would be affected when the "/Secure" location was defined on an HTTP-based platform. We will now examine how alternate configurations will affect how Token-Based Authentication interacts with those URLs.
Each row in the following table represents a separate Token-Based Authentication configuration.
Secured Location | Description |
---|---|
/ |
A valid token is required for all four scenarios. |
/Secure/Data |
A valid token is only required for the second scenario. |
/MyServer |
A valid token is required for the third and fourth scenarios. |
/MyServer/Secure |
A valid token is required for the third and fourth scenarios. |
Edgecast CDN