How Access Control Works
When the server receives a request for a page, it uses the rules in the ACL file to determine whether to grant access or not. The rules can refer to the hostname or IP address of the computer sending the request. The rules can also refer to a list of users and groups stored in the LDAP directory.
For example, the following ACL file contains the two default entries for the Administration Server (admin-serv), in addition to an entry that allows users in the “admin-reduced” group to access the Preferences tab in the Administration Server.
version 3.0;
# The following "es-internal" rules protect files such
# as icons and images related to Sun Java System Web Server.
# These "es-internal" rules should not be modified.
acl "es-internal";
allow (read, list, execute,info) user = "anyone";
deny (write, delete) user = "anyone";
# The following "default" rules apply to the entire document
# directory of Sun Java System Web Server. In this example, the rules
# are set up so that "all" users in the directory server are
# allowed to read, execute, list, and get information.
# The "all" users are not allowed to write to or delete any files.
# All clients that accesses the document directory of the web
# server will be required to submit a username and password
# since this example is using the "basic" method of
# authentication. A client must be in the directory server
# to gain access to this default directory since "anyone"
# not in the directory server is denied, and "all" in the
# directory server are allowed.
acl "default";
authenticate (user,group) {
database = "default";
method = "basic";
};
deny (all)
(user = "anyone");
allow (read,execute,list,info)
(user = "all");
# The following rules deny access to the directory "web"
# to everyone not in the directory server and deny everyone
# in the directory server who is not in GroupB.
# Only the users in GroupB are allowed read, execute, list,
# and info permissions. GroupA can not gain access to the
# directory "web" even though (in the ACL rule below) they
# can access the directory “my_stuff”. Furthermore, members
# of GroupB can not write or delete files.
acl "path=/export/user/990628.1/docs/my_stuff/web/";
authenticate (user,group) {
database = "default";
method = "basic";
};
deny (all)
(user = "anyone");
allow (read,execute,list,info)
(group = "GroupB");
# The following rule denies everyone not in the directory
# server and denies everyone in the directory server except
# user with the ID of "SpecificMemberOfGroupB". The ACL rule
# in this setting also has a requirement that the user
# connect from a specific IP address. The IP address setting
# in the rule is optional; it has been added to for extra
# security. Also, this ACl rule has a Customized prompt
# of "Presentation Owner". This Customized prompt appears
# in the username and password dialog box in the client’s
# browser.
acl "path=/export/user/990628.1/docs/my_stuff/web/presentation.html";
authenticate (user,group) {
database = "default";
method = "basic";
prompt = "Presentation Owner";
};
deny (all)
(user = "anyone" or group = "my_group");
allow (all)
(user = "SpecificMemberOfGroupB") and
(ip = "208.12.54.76");
# The following ACL rule denies everyone not in the directory
# server and everyone in the directory server except for
# GroupA and GroupB access to the directory “my_stuff”
acl "path=/export/user/990628.1/docs/my_stuff/";
authenticate (user,group) {
database = "default";
method = "basic";
};
deny (all)
(user = "anyone");
allow (read,execute,list,info)
(group = "GroupA,GroupB");
|
For example, if a user requests the URL: http://server_name/my_stuff/web/presentation.html
The Sun Java System Web Server first checks access control for the entire server. If the ACL for the entire server set to continue, the server checks for an ACL associated with the my_stuff directory. If an ACL exists, the server checks the ACEs within the ACL, and then moves on to the next directory. This process continues until an ACL is found that denies access, or until the final ACL for the requested URL (in this case, the presentation.html file) is scanned.
To set up access control for the example above using the Server Manager, you could create an ACL for the file only, or for each resource leading to the file. That is, one for the entire server, one for the my_stuff directory, one for the my_stuff/web directory, and one for the file.
Note –
If more than one ACL matchs, the server uses the last ACL statement that is matched. The default ACL is bypassed since the uri ACL is the last statement that matches.
- © 2010, Oracle Corporation and/or its affiliates