Overview of ACL-based Access Control

ACL-based access control is described at length in Chapter 10, Controlling Access to Your Server. The following section provides a brief overview of the key concepts.

Sun Java System Web Server 6.1 supports authentication and authorization through the use of locally stored access control lists (ACLs), that describes what access rights a user has for a resource. For example, an entry in an ACL can grant a user named John read permission to a particular folder, misc.

acl "path=/export/user/990628.1/docs/misc/";
  authenticate (user,group) {
     database = "default";
     method = "basic";
  };
  deny (all) (user=”anyone”);
  allow (read) (user = "John");

The core ACLs in Sun Java System Web Server 6.1 supports three types of authentication: basic, SSL, and digest.

Basic authentication relies on lists of user names and passwords passed as cleartext. The SSL method requires the browser to have a user certificate, which contains the user’s public key and other user information such as name, email, and so on. Digest authentication uses encryption techniques to encrypt the user’s credentials.

The main features of the ACL-based access control model are described below:

• ACL-based authentication and authorization use the following configuration files:

  • server-install/httpacl/*.acl files

  • server-install/userdb/dbswitch.conf

  • server-install/server-instance/config/server.xml

  Authentication databases are provided by auth-db modules that are configured in the dbswitch.conf file.

• Authentication and authorization is performed by access control rules set in the server-install/httpacl/*.acl files, if ACLs are configured. The authorization rules that apply are those which are defined in the ACL file corresponding to the virtual server processing the request (as configured in the appropriate VS entry in server.xml) See the ACLFILE element and aclids property of the VS element in the Sun Java System Web Server 6.1 Administrator’s Configuration File Reference. Typically these files are located in the /httpacl/ directory, but don’t necessarily have to be if you change the server.xml configuration.

In addition, the Sun Java System Web Server 6.1 SSL engine supports external crypto hardware to offload SSL processing and provides optional tamper-resistant key storage.

For more information about access control and the use of external crypto hardware, see Chapter 9, Controlling Access to Your Server.