Adding an Access Control Entry (ACE) (Sun Java System Web Server 7.0 Administrator's Guide)

Sun Java System Web Server 7.0 Administrator's Guide

Adding an Access Control Entry (ACE)

The section describes the process of adding a new Access Control Entry (ACE) for the selected configuration.

Click Configurations tab and select the configuration.
Click Access Control sub tab > Access Control List sub tab.
Click New button.
Click New button under Access Control Entry.

Configure the following ACE parameters:

Table 7–3 ACE parameters


Parameter	Description
Access	Allow means users or systems can access the requested resource Deny means users or systems cannot access the resource The server goes through the list of access control expressions (ACEs) to determine the access permissions.
Users	1. Anyone — No authentication. Grants access to everyone. 2. All in the Auth DB — Grants access to all users specified in the authentication database. 3. Only the following in the Auth DB — Restrict access to selected users from the authentication DB. You can query the authentication DB based on common attributes like First name, Last name and Email address.
Groups	With group authentication, users are prompted to enter a username and password before they can access the resource specified in the access control rule. Use this option to restrict access to specific groups.
From Host	You can restrict access to the Administration Server or your web site based on which computer the request comes from. You can restrict access to the Administration Server or your web site based on which computer the request comes from. Anyplace allows access to all users and systems Only from allows you to restrict access to specific Host Names or IP Addresses If you select the Only from option, enter a wildcard pattern or a comma-separated list in the Host Names or IP Addresses fields. Restricting by hostname is more flexible than by IP address: if a user’s IP address changes, you won’t need to update this list. Restricting by IP address, however, is more reliable: if a DNS lookup fails for a connected client, hostname restriction cannot be used. You can only use the `` wildcard notation for wildcard patterns that match the computers’ host names or IP addresses. For example, to allow or deny all computers in a specific domain, you will enter a wildcard pattern that matches all hosts from that domain, such as `.sun.com`. You can set different hostnames and IP addresses for superusers accessing the Administration Server. For hostnames, the `` must replace an entire component of the name. That is, `.sun.com` is acceptable, but `users.sun.com` is not. When the `` appears in a hostname, it must be the left-most character. For example, `.sun.com` is acceptable, but `users..com` is not. For the IP address, the `` must replace an entire byte in the address. For example, `198.95.251.` is acceptable, but `198.95.251.3` is not. When the `` appears in an IP address, it must be the right-most character. For example, `198.` is acceptable, but not `198..251.30`.
Rights	Access rights restrict access to files and directories on your web site. In addition to allowing or denying all access rights, you can specify a rule that allows or denies partial access rights. For example, you allow users read-only access rights to your files, so they can view the information, but not change the files. All Access Rights is the default and will allow or deny all rights Only the following rights allow you to select a combination of rights to be allowed or denied: Read allows users to view files, including includes the HTTP methods GET, HEAD, POST, and INDEX Write allows users to change or delete files, including the HTTP methods PUT, DELETE, MKDIR, RMDIR, and MOVE. To delete a file, a user must have both write and delete rights Execute allows users to execute server-side applications, such as CGI programs, Java applets, and agents Delete allows users who also have write privileges to delete files or directories. List allows users to access lists of the files in directories that do not contain an `index.html` file. Info allows users to receive information about the URI, for example `http_head`.
Continue	The server goes through the list of access control expressions (ACEs) to determine the access permissions. For example, the first ACE is usually to deny everyone. If the first ACE is set to “continue,” the server checks the second ACE in the list, and if it matches, the next ACE is used. If continue is not checked, everyone will be denied access to the resource. The server continues down the list until it reaches either an ACE that doesn’t match, or that matches but is set to not continue. The last matching ACE determines if access is allowed or denied.

© 2010, Oracle Corporation and/or its affiliates