Sun Java System Web Server 7.0 Update 7 Administrator's Guide

Adding an Access Control Entry (ACE)

The section describes the process of adding a new Access Control Entry (ACE) for the selected configuration.

  1. Click the Configurations tab and select the configuration.

  2. Click the Access Control sub tab > Access Control List sub tab.

  3. Click the New button.

  4. Click the New button under Access Control Entry.

Configure the following ACE parameters:

Table 7–3 ACE parameters




  • Allow means users or systems can access the requested resource.

  • Deny means users or systems cannot access the resource.

    The server goes through the list of access control expressions (ACEs) to determine the access permissions.


1. Anyone — No authentication. Grants access to everyone.

2. All in the Auth DB — Grants access to all users specified in the authentication database.

3. Only the following in the Auth DB — Restrict access to selected users from the authentication DB.

You can query the authentication DB based on common attributes like First name, Last name and Email address. 


With group authentication, users are prompted to enter a username and password before they can access the resource specified in the access control rule. 

Use this option to restrict access to specific groups. 

From Host

You can restrict access to the Administration Server or your web site based on which computer the request comes from. 

  • Anyplace enables access to all users and systems.

  • Only from enables you to restrict access to specific Host Names or IP Addresses.

If you select the Only from option, enter a wildcard pattern or a comma-separated list in the Host Names or IP Addresses fields. Restricting by hostname is more flexible than by IP address: if a user’s IP address changes, you won’t need to update this list. Restricting by IP address, however, is more reliable: if a DNS lookup fails for a connected client, hostname restriction cannot be used. 

You can only use the * wildcard notation for wildcard patterns that match the computers’ host names or IP addresses. For example, to allow or deny all computers in a specific domain, you will enter a wildcard pattern that matches all hosts from that domain, such as * You can set different hostnames and IP addresses for superusers accessing the Administration Server.

For hostnames, the * must replace an entire component of the name. That is, * is acceptable, but * is not. When the * appears in a hostname, it must be the left-most character.

For the IP address, the * must replace an entire byte in the address. For example, 198.95.251.* is acceptable, but* is not. When the * appears in an IP address, it must be the right-most character. For example, 198.* is acceptable, but not 198.*.251.30.


Access rights restrict access to files and directories on your web site. In addition to allowing or denying all access rights, you can specify a rule that enables or denies partial access rights. For example, you allow users read-only access rights to your files, so they can view the information, but not change the files. 

  • All Access Rights is the default and will allow or deny all rights.

  • Only the following rights allow you to select a combination of rights to be allowed or denied:

    • Read enables users to view files, including includes the HTTP methods GET, HEAD, POST, and INDEX.

    • Write enables users to change or delete files, including the HTTP methods PUT, DELETE, MKDIR, RMDIR, and MOVE. To delete a file, a user must have both write and delete rights.

    • Execute enables users to execute server-side applications, such as CGI programs, Java applets, and agents.

      POST maps to execute right only.

    • Delete enables users who also have write privileges to delete files or directories.

    • List enables users to access lists of the files in directories that do not contain an index.html file.

    • Info enables users to receive information about the URI, for example http_head.


The server goes through the list of access control expressions (ACEs) to determine the access permissions. For example, the first ACE is usually to deny everyone. If the first ACE is set to “continue,” the server checks the second ACE in the list, and if it matches, the next ACE is used. 

If continue is not checked, everyone will be denied access to the resource. The server continues down the list until it reaches either an ACE that doesn’t match, or that matches but is set to not continue. The last matching ACE determines if access is allowed or denied.