Let’s up the ante. Suppose we don’t merely want to allow an undifferentiated group of subscribers to access the ProductAnalysis docbase. Suppose, instead, we want to restrict access based on a relationship between an attribute of a docbase record and an attribute of a subscriber record. Protections applied to directories, files, or scripts won’t suffice.

In the last chapter, we built a notifier that alerts subscribers when a docbase receives new reports about companies in which the docbase subscribers have registered an interest. If we want to use conventional authentication techniques to deny access to reports about companies other than those a subscriber has signed up for, we’d have to materialize nodes in filesystem space for each company, locate HTML files (or file-serving scripts) at each node, and bind a user or group authorization method to each node. You might be able to make this work, but it would be crazy to try—the administrative burden would crush you.

The problem isn’t how authentication is done. Whether you’re using basic authentication or a cookie, as we’ll see later in this chapter, or even a client-side digital ID, the problem is that standard authorization only allows or denies a file or script. It can’t make access-control decisions based on attributes of documents. Authorization is tightly coupled to the filesystem. We’ve got to break that coupling in order to be able to apply basic authentication in a more granular way.