Sun Java System Web Proxy Server 4.0.4 管理指南

存取控制的工作方式

當伺服器收到對某個網頁的請求時,它會使用 ACL 檔案中的規則來判斷是否應授予存取權。這些規則可以參照傳送請求的電腦主機名稱或 IP 位址。還可以參照儲存在 LDAP 目錄中的使用者和群組。

下列範例顯示 ACL 檔案可能包含的內容,並提供存取控制規則範例。


version 3.0;
# The following "es-internal" rules protect files such
# as icons and images related to Sun Java System Web Proxy Server.
# These "es-internal" rules should not be modified.
  acl "es-internal";
  allow (read, list, execute,info) user = "anyone";
  deny (write, delete) user = "anyone";

# The following rules deny access to the directory "web"
# to everyone not in the directory server and deny everyone
# in the directory server who is not in GroupB.
# Only the users in GroupB are allowed read, execute, list,
# and info permissions. GroupA cannot gain access to the
# directory "web" even though (in the ACL rule below) they
# can access the directory “my_stuff”. Furthermore, members
# of GroupB cannot write or delete files.
  acl "path=/export/user/990628.1/docs/my_stuff/web/";
  authenticate (user,group) {
     database = "default";
     method = "basic";
  };
  deny (all)
  (user = "anyone");

  allow (read,execute,list,info)
  (group = "GroupB");

# The following rule denies everyone not in the directory
# server and denies everyone in the directory server except
# users with the ID of "SpecificMemberOfGroupB". The ACL rule
# in this setting also has a requirement that the user
# connect from a specific IP address. The IP address setting
# in the rule is optional, and has been added for extra
# security. Also, this ACL rule has a Customized prompt
# of "Presentation Owner". This Customized prompt appears
# in the username and password dialog box in the client’s
# browser.

  acl "path=/export/user/990628.1/docs/my_stuff/web/presentation.html";
  authenticate (user,group) {
     database = "default";
     method = "basic";
     prompt = "Presentation Owner";
  };
  deny (all)
  (user = "anyone" or group = "my_group");
  allow (all)
  (user = "SpecificMemberOfGroupB") and
  (ip = "208.12.54.76");

# The following ACL rule denies everyone not in the directory
# server and everyone in the directory server except for
# GroupA and GroupB access to the directory “my_stuff”
  acl "path=/export/user/990628.1/docs/my_stuff/";
  authenticate (user,group) {
     database = "default";
     method = "basic";
  };
  deny (all)
  (user = "anyone");
  allow (read,execute,list,info)
  (group = "GroupA,GroupB");


      

例如,如果使用者請求 URL http://server_name/my_stuff/web/presentation.html,Proxy Server 便會先檢查對整個伺服器的存取控制。如果整個伺服器的 ACL 設定為 [Continue],則伺服器會檢查 my_stuff 目錄中有無 ACL。如果有 ACL 存在,伺服器便會檢查該 ACL 內的 ACE,然後檢查下一個目錄。此程序持續到找出拒絕存取的 ACL 為止,或者到達所請求 URL 的最後一個 ACL 為止,在本例中是到達 presentation.html 檔案。

若要使用 Server Manager 設定對此範例的存取控制,您可以只針對該檔案建立一個 ACL,或針對指向該檔案的每項資源各建立一個 ACL,亦即整個伺服器一個 ACL、my_stuff 目錄一個 ACL、my_stuff/web 目錄一個 ACL,以及該檔案一個 ACL。

如果有一個以上相符的 ACL 存在,則伺服器會使用相符的最後一個 ACL 敘述。