Hierarchy of Authorization Statements (Sun Java System Web Server 6.1 SP11 Administrator's Guide)

Sun Java System Web Server 6.1 SP11 Administrator's Guide

Hierarchy of Authorization Statements

ACLs have a hierarchy that depends on the resource. For example, if the server receives a request for the document (URI) /my_stuff/web/presentation.html, the server builds a list of ACLs that apply for this URI. The server first adds ACLs listed in ”check-acl’ statements of it’s obj.conf file. Then the server appends matching URI and PATH ACLs.

The server processes this list in the same order. Unless ”absolute’ ACL statements are present, all statements are evaluated in order. If an ”absolute allow’ or ”absolute deny’ statement evaluates to ”true’, the server stops processing and accepts this result.

If there are more than one ACLs that match, the server uses the last statement that matches. However, if you use an absolute statement, then the server stops looking for other matches and uses the ACL containing the absolute statement. If you have two absolute statements for the same resource, the server uses the first one in the file and stops looking for other resources that match.

version 3.0;
acl "default";authenticate (user,group) {
     prompt="Web Server";
};
allow (read,execute,list,info)
     user = "anyone";allow (write,delete)
     user = "all";
acl "uri=/my_stuff/web/presentation.html";
deny (all)
     user = "anyone";
allow (all)
     user = "joe";