Specifying Users and Groups (Sun Java System Web Server 6.1 SP11 Administrator's Guide)

Sun Java System Web Server 6.1 SP11 Administrator's Guide

Specifying Users and Groups

With user and group authentication, users are prompted to enter a username and password before they can access the resource specified in the access control rule.

Sun Java System Web Server checks lists of users and groups stored either in an LDAP server, such as Sun Java System Directory Server, or in an internal file-based authentication database.

You can allow or deny access to everyone in the database, you can allow or deny specific people by using wildcard patterns, or you can select who to allow or deny from lists of users and groups.

Anyone (No Authentication) is the default and means anyone can access the resource without having to enter a username or password. However, the user might be denied access based on other settings, such as host name or IP address. For the Administration Server, this means that anyone in the administrators group that you specified with distributed administration can access the pages.
Authenticated people only
- All in the authentication database matches any user who has an entry in the database.
- Only the following people lets you specify which users and groups to match. You can list users or groups of users in a comma separated list, or with a wildcard pattern, or you can select from the lists of users and groups stored in the database. Group refers to all users in the groups you specify. User refers to the individual users you specify. For the Administration Server, the users must also be in the administrators group you specified for distributed administration.
Prompt for authentication allows you to enter message text that appears in the authentication dialog box. You can use this text to describe what the user needs to enter. Depending on the operating system, the user sees approximately about the first 40 characters of the prompt. Netscape Navigator and Netscape Communicator cache the username and password, and associate them with the prompt text. When the user accesses files and directories of the server having the same prompt, the usernames and passwords do not need to be entered again. If you want users to authenticated again for specific files and directories, you simply need to change the prompt for the ACL for that resource.
Authentication Methods specifies the method the server uses for getting authentication information from the client. The Administration Server offers only the Basic method of authentication.
- Default uses the default method you specify in the obj.conf file, or “Basic” if there is no setting in obj.conf. If you check Default, the ACL rule doesn’t specify a method in the ACL file. Choosing Default allows you to easily change the methods for all ACLs by editing one line in the obj.conf file.
- Basic uses the HTTP method to get authentication information from the client. The username and password are only encrypted if encryption is turned on for the server.
- SSL uses the client certificate to authenticate the user. To use this method, SSL must be turned on for the server. When encryption is on, you can combine Basic and SSL methods.
- Digest uses the an authentication mechanism that provides a way for a browser to authenticate based on username and password without sending the username and password as cleartext. The browser uses the MD5 algorithm to create a digest value using the user’s password and some information provided by the Web Server. This digest value is also computed on the server side using the Digest Authentication plug-in and compared against the digest value provided by the client.
- Other uses a custom method you create using the access control API.
Authentication Database lets you select a database the server uses to authenticate users. This option is only available through the Server Manager. If you choose Default, the server looks for users and groups in a directory service configured as default. If you wish to configure individual ACLs to use different databases, select Other, and choose the database from the drop-down list. Non-default databases and LDAP directories need to have been specified in the file server_root/userdb/dbswitch.conf. If you use the access control API for a custom database, such as Oracle or Informix, select Other, and enter the database name.