ACL-based Authentication and Authorization
ACL-based access control is described at length in the Sun Java System Web Server 6.1 Administrator’s Guide. This section provides a brief overview of the key concepts.
Sun Java System Web Server 6.1 supports authentication and authorization through the use of locally stored access control lists (ACLs), which describe what access rights a user has for a resource. For example, an entry in an ACL can grant a user named John read permission to a particular folder named misc:
acl "path=/export/user/990628.1/docs/misc/";
authenticate (user,group) {
database = "default";
method = "basic";
};
deny (all)
(user = "John");
allow (read);
|
The core ACLs in Sun Java System Web Server 6.1 support three types of authentication: basic, certificate, and digest.
Basic authentication relies on lists of user names and passwords passed as cleartext. Certificates bind a name to a public key. Digest authentication uses encryption techniques to encrypt the user’s credentials.
The main features of the ACL-based access control model are described below:
-
ACL-based authentication uses the following configuration files:
-
server-install/httpacl/*.acl files
-
server-install/userdb/dbswitch.conf
-
server-install/config/server.xml
Authentication is performed by auth-db modules that are configured in the dbswitch.conf file.
-
-
Authorization is performed by access control rules set in the server-install/httpacl/*.acl files, if ACLs are configured.
In addition, the Sun Java System Web Server 6.1 SSL engine supports external crypto hardware to offload SSL processing and to provide optional tamper-resistant key storage.
For more information about access control and the use of external crypto hardware, see the Sun Java System Web Server 6.1 SP12 Administrator’s Guide.
- © 2010, Oracle Corporation and/or its affiliates