An end-user uses a connection tool to interact with InterSystems IRIS in a particular access mode using a particular authentication mechanism. Remember that the processes described in this chapter do not themselves establish authenticated access. Rather, they establish the infrastructure that an application uses when authenticating users via a particular mechanism in a particular access mode.
About the Different Access Modes
InterSystems IRIS supports the following access modes: Local, Client-Server, and Web.
Local Access Mode
With local access, the end-user is on the same machine as the InterSystems IRIS server. To gain access to the data, the user runs a private image of InterSystems IRIS that is reading from and writing to shared memory. If there are multiple local users, each has an individual copy of the InterSystems IRIS executable and all the executables point to the same shared memory. Because the user and the executable are on the same machine, there is no need to protect or encrypt communications between the two, since nothing is being passed from one executable to another. Because communications between the user and InterSystems IRIS go on within a single process, this is also known as in-process authentication.
Local access is available for:
Client-Server Access Mode
With client-server access, the InterSystems IRIS executable is the server and there is a client executable that can reside on a separate machine. InterSystems IRIS accepts a connection, possibly over a wire, from the client. This connection can use any language or protocol that InterSystems IRIS supports. These include:
All connection tools support authentication through Kerberos or instance authentication except %Service_ComPort, which only supports authentication through instance authentication.
In each case, the server specifies the supported authentication type(s). When the client initiates contact with the server, it must attempt to use one of these supported types; otherwise, the connection attempt is rejected. Not all authentication types are available for all connection tools.
Web Access Mode
The web access mode supports connections of the following form:
Architecture of a Web Connection
-
A user requests content or an action in a web browser.
-
The web browser passes along the request to the web server.
-
The web server is co-located with the web gateway and passes the request to the gateway.
-
The gateway passes the request to the InterSystems IRIS server.
When the InterSystems IRIS server provides content for or performs an action relating to the user, the entire process happens in the other direction.
For the user to authenticate to InterSystems IRIS, a username and password must be passed down the line. Hence, this access mode is also known as a proxy mode or proxy connection. Once the information reaches the InterSystems IRIS machine, the arrangement between user and server is similar to that in the local access mode. In fact, the web access mode also uses in-process authentication.