The Web server plug-in intercepts HTTP requests after it finishes the URL translation phase. The Web server obtains the translated URL and checks it against the ACDB to determine whether it is protected. If the URL that the user specifies in the Web browser differs from the translated URL, the PSO must enter the translated URL into the ACDB. If the plug-in does not find the URL in the ACDB, it keeps this URL in a cache of unprotected URLs and returns control to the Web server so that the server can process the request as usual. If it does find the URL in the ACDB, it authenticates the user as necessary—see “User authentication”—and authorizes access based on the user’s permissions.
The Web plug-in does not secure contents in a document. If a document contains hypertext links that a user does not have permission to access, the plug-in does not hide those links. The content management system should provide that functionality. If your environment does not have such a system, be aware of this behavior and name the links with caution.
