Hierarchy of Authorization Statements
The hierarchy in ACLs depends on the resource. When the server receives a request for a specific resource, it builds a list of ACLs that apply for that resource. The server first adds named ACLs listed in check-acl statements of its obj.conf file. It then appends matching path and resource ACLs. This list is processed in the same order. Unless “absolute” ACL statements are present, all statements are evaluated in order. If an “absolute allow” or “absolute deny” statement evaluates to “true,” the server stops processing and accepts this result.
If more than one ACL matches, the server uses the last statement that matches. However, if you use an absolute statement, then the server stops looking for other matches and uses the ACL containing the absolute statement. If you have two absolute statements for the same resource, the server uses the first statement in the file and stops looking for other resources that match.
version 3.0;acl "default";authenticate (user,group)
{ prompt="iPlanet Web Proxy Server";};
allow (read,execute,list,info) user = "anyone";
allow (write,delete) user = "all";acl "http://*.*";
deny (all) user = "anyone";allow (all) user = "joe";
|
- © 2010, Oracle Corporation and/or its affiliates