访问控制的工作原理
当服务器收到页面请求时,它会使用 ACL 文件中的规则来确定是否应当授予访问权限。这些规则可以引用发送该请求的计算机的主机名或 IP 地址,还可以引用 LDAP 目录中存储的用户和组。
以下示例显示了 ACL 文件可能包含的内容,并提供了访问控制规则示例。
version 3.0;
# The following "es-internal" rules protect files such
# as icons and images related to Sun Java System Web Proxy Server.
# These "es-internal" rules should not be modified.
acl "es-internal";
allow (read, list, execute,info) user = "anyone";
deny (write, delete) user = "anyone";
# The following rules deny access to the directory "web"
# to everyone not in the directory server and deny everyone
# in the directory server who is not in GroupB.
# Only the users in GroupB are allowed read, execute, list,
# and info permissions. GroupA cannot gain access to the
# directory "web" even though (in the ACL rule below) they
# can access the directory "my_stuff". Furthermore, members
# of GroupB cannot write or delete files.
acl "path=/export/user/990628.1/docs/my_stuff/web/";
authenticate (user,group) {
database = "default";
method = "basic";
};
deny (all)
(user = "anyone");
allow (read,execute,list,info)
(group = "GroupB");
# The following rule denies everyone not in the directory
# server and denies everyone in the directory server except
# users with the ID of "SpecificMemberOfGroupB". The ACL rule
# in this setting also has a requirement that the user
# connect from a specific IP address. The IP address setting
# in the rule is optional, and has been added for extra
# security. Also, this ACL rule has a Customized prompt
# of "Presentation Owner". This Customized prompt appears
# in the username and password dialog box in the client’s
# browser.
acl "path=/export/user/990628.1/docs/my_stuff/web/presentation.html";
authenticate (user,group) {
database = "default";
method = "basic";
prompt = "Presentation Owner";
};
deny (all)
(user = "anyone" or group = "my_group");
allow (all)
(user = "SpecificMemberOfGroupB") and
(ip = "208.12.54.76");
# The following ACL rule denies everyone not in the directory
# server and everyone in the directory server except for
# GroupA and GroupB access to the directory "my_stuff"
acl "path=/export/user/990628.1/docs/my_stuff/";
authenticate (user,group) {
database = "default";
method = "basic";
};
deny (all)
(user = "anyone");
allow (read,execute,list,info)
(group = "GroupA,GroupB");
|
例如,如果用户请求 URL http://server_name/my_stuff/web/presentation.html,Proxy Server 首先将检查整个服务器的访问控制。如果整个服务器的 ACL 被设置为 "Continue",服务器将检查目录 my_stuff 的 ACL。如果存在某个 ACL,服务器将检查该 ACL 中的 ACE,然后移动到下一个目录。此过程将继续,直至找到的某个 ACL 拒绝了访问,或到达所请求的 URL(在本例中是文件 presentation.html)的最后的 ACL。
要使用 Server Manager 设置本例的访问控制,可以仅为此文件创建一个 ACL,也可以为此文件中引用的每个资源创建一个 ACL(即,一个用于整个服务器,一个用于 my_stuff 目录,一个用于 my_stuff/web 目录,一个用于此文件)。
如果有多个匹配的 ACL,服务器将使用最后一个匹配的 ACL 语句。
- © 2010, Oracle Corporation and/or its affiliates