Creating ACLs For File-based Authentication

The Sun Java System Web Server 6.1 supports the use of file-based authentication databases, which store user and group information in text format in flat files. The ACL framework is designed to work with the file authentication database.

---

Note –

The Sun Java System Web Server 6.1 does not support dynamic flat files. The flat file database is loaded when the server starts up. Changes to the files come into effect only when the server restarts.

---

An ACL entry can refer to a user database using the database keyword. For example:

acl "default";
    authenticate (user) {
...
    database="myfile";
...
};

The database myfile can be referenced in the USERDB element of a VS in server.xml where it is linked with a corresponding definition in the server-root/userdb/dbswitch.conf file. For example:

<VS>
...
    <USERDB id="myfile" database="myfiledb">
...
</VS>

In the server-root/userdb/dbswitch.conf file there is an entry which defines the auth-db file and its configuration. For example:

directory myfiledb file
myfiledb:syntax keyfile
myfiledb:keyfile /path/to/config/keyfile

The table bow

Table 9–2 Parameters supported by the File Authentication Database

syntax	[Optional] Value is either keyfile, digest or htaccess. If not specified, defaults to keyfile.
keyfile	[Required if syntax=keyfile] Path to the file containing user data.
digestfile	[Required if syntax=digest] Path to the file containing user data for digest authentication.
groupfile	[Required if syntax=htaccess] Path to the AuthGroupFile.
userfile	[Required if syntax=htaccess] Path to the AuthUserFile.

---

Caution –

The maximum length of a line in a file authentication database file (htaccess, digestfile or keyfile) is 255.

If any line exceeds this limit, the server fails to start and an error is logged in the log file.

---

---

Note –

Ensure that the following pre-conditions are met before you attempt to set ACLs using a file-based authentication database:

• A file-based authentication directory service is already configured. For information on how to do this, see Configuring a Directory Service.

• The virtual server on which the ACLs are set, is configured to use the type of file-based authentication database (keyfile, htaccess or digestauth) you require. If this is not done, ACL restrictions will be configured against the directory service configured as default.

---

Creating an ACL for a Directory Service Based on File Authentication

To create an ACL entry for a directory service based on file authentication, perform the following steps:

To create an ACL entry for a directory based service on file authentication

1. Access the Server Manager and select the server instance for which you want to create or edit ACLs for.

2. Choose the Preferences tab from the Server Manager.

3. Click the Restrict Access link.

4. From the Option column, choose the ACL file from the drop-down list and click Edit ACL.

5. In the Access Control Rules page in the top frame, click the Users/Groups link for the ACL you want to edit.

6. In the User/Group page in the bottom frame, from the Authentication database drop-down list, select keyfile.

7. Click Update.

   When you set an ACL against a keyfile-based file authentication database, the dbswitch.conf file is updated with an ACL entry, like the sample entry given below:

   version 3.0; acl "default"; authenticate (user) { prompt = "Sun One Web Server 6.1"; database = "mykeyfile"; method = "basic"; }; deny (all) user = "anyone"; allow (all) user = "all";

Creating an ACL for a Directory Service Based on .htaccess Authentication

The Sun Java System Web Server provides support for .htaccess-based flat file authentication. If you have been using .htaccess authentication, you can migrate your existing data files with no change to the file authentication database. As noted in Using .htaccess Files, .htaccess user and group data can be stored in a single file or split into two files (one with user data and other with group data). Both existing formats are supported by the file authentication database.

To create an ACL for a directory service based on htaccess authentication, perform the following steps:

To create an ACL for a directory service based on htaccess authentication

1. Access the Server Manager and select the server instance you wish to create or edit ACLs for.

2. Choose the Preferences tab from the Server Manager.

3. Click the Restrict Access link.

4. Under the Option column, choose the ACL file from the drop-down list and click Edit ACL.

5. In the Access Control Rules page in the top frame, click the Users/Groups link for the ACL you want to edit.

6. In the User/Group page in the bottom frame, from the Authentication database drop-down list, select htaccess.

7. Click Update.

   When you set an ACL against an htaccess-based file authentication database, the dbswitch.conf file is updated with an ACL entry such as the sample entry given below:

   version 3.0; acl "default"; authenticate (user) { prompt = "Sun One Web Server 6.1"; database = "myhtaccessfile"; method = "basic"; }; deny (all) user = "anyone"; allow (all) user = "all";

Migrating Existing .htaccess information to the File Authentication Database

To migrate your existing .htaccess information to the file authentication database in the Sun Java System Web Server 6.1:

• Copy your .htaccess userfile database to server-root/server-instance/config/userfile.

• Copy your htaccess groupfile database to server-root/server-instance/config/groupfile

The user file format is as follows:

#user:password

The group file format is as follows:

#group1:user1 user2
#group2:user3 user4

---

Note –

Member names are separated by spaces.

---

When userfile and groupfile have the same file name, they are combined. each line of the combination follows the syntax shown below:

#user:password:group1,group2

---

Note –

Columns are separated by colons.

---

Sample htaccess databases

Sample 1

#sample userfile  (user/password "j2ee/j2eepwd"  user/password "user1/user1pwd" )
j2ee:9hmjfRwNxvJLU
user1:wvQirF86BsjSk

Sample 2

#sample group file
staff:j2ee  user1
eng:j2ee

Sample 3

#sample user/group file (username "j2ee", user password "j2eepwd")
j2ee:9hmjfRwNxvJLU:staff,eng

Creating an ACL for a Directory Service Based on Digest Authentication

The file authentication database also supports a file format suitable for use with digest authentication per RFC 2617. A hash based on the password and realm is stored. Clear text passwords are not maintained.

To create an ACL for a directory service based on digestauth-based authentication, perform the following steps:

To create an ACL for a directory service

1. Access the Server Manager and select the server instance you wish to create or edit ACLs for.

2. Choose the Preferences tab from the Server Manager.

3. Click the Restrict Access link.

4. Under the Option column, choose the ACL file from the drop-down list and click Edit ACL.

5. In the Access Control Rules page in the top frame, click the Users/Groups link for the ACL you want to edit.

6. In the User/Group page in the bottom frame, from the Authentication database drop-down list, select digest.

7. Click Update.

   When you set an ACL against a digestauth-based file authentication database, the dbswitch.conf file is updated with an ACL entry such as the sample entry given below:

   version 3.0; acl "default"; authenticate (user) { prompt = "filerealm"; database = "mydigestfile"; method = "digest"; }; deny (all) user = "anyone"; allow (all) user = "all";