When the serverreceives a request for a page, the server uses the rules in the ACL file to determine whether it should grant access or not. The rules can reference the hostname or IP address of the computer sending the request. The rules can also reference users and groups stored in the LDAP directory.
If there is more than one ACL that matches, the server uses the last ACL statement that has a match. The default ACL is bypassed since the uri ACL is the last statement that matches.
The preceding figure depicts how access control works in Web Server . The user agent (client) accesses the Web Server, and then the Web Server executes PathCheck directives in obj.conf file. The Web Server returns an HTTP 401 (unauthorized) to the client. The client prompts the user for authentication. In case if the client is a browser, a login dialog box appears. The user enters the login information. The Web Server executes an internal check-acl function. The Web Server validates the user credentials and processes the request.