A P P E N D I X C - Access Control Definition

A P P E N D I X C

Access Control Definition

The access_control.config file in the $CDS_HOME/deployment/deployment-name/conf directory is used to determine when access to the Content Delivery Server components is allowed. This section uses BNF notation to describe the statements used in the access control file. A description of this notation can be found at http://rfc.net/rfc2234.html.

The access control file contains access control lists, URI groups, and rules. The following code sample shows an example of each of these types of statements.

acl sun {

    host '*.sun.com';

    ip6 ::1;

uri_group vending_service {

    uri '/vsadmin/main/sync_to_catalog.*';

    uri '/subscriber/mo_push.*';

access uri '/.*' protocol any method any {

    deny any;

final access group vending_service protocol any method any {

    allow sun;

For information on setting up the access control file, see Section 4.17, Control Access by External Systems.

To create your access control statements, use the following rules:

CODE EXAMPLE C-1 BNF Rules for Access Control Statements
acl_def = "acl" acl_name "{" 1source "}" source = host_name [ nummask ] ";" host_name = ip4addr \| ip6addr \| dnsname \| "any" nummask = "/" decnumber ip4addr = "ip4" hostnum "." hostnum "." hostnum "." hostnum ip6addr = "ip6" ipv6_address hostnum = digit [ digit [ digit ] ] decnumber = digit [ decnumber ] digit = "0" \| "1" \| "2" \| "3" \| "4" \| "5" \| "6" \| "7" \| "8" \| "9" dnsname = "host" "'" hostname_string "'" rule = [ "final" ] "access" uri "protocol" 1#protocols "method" 1#methods "{" 1control "}" uri = "uri" "'" uri_regexp "'" \| "group" uri_group_name uri_group = "uri_group" uri_group_name "{" 1group_def "}" group_def = "uri" "'" uri_regexp "'" ";" control = ( "allow" \| "deny" ) ( acl_name \| "any" ) [ "final" ] ";" protocols = "http" \| "https" \| "any" methods = "get" \| "post" \| "put" \| "any" config = acl uri_group rule

CODE EXAMPLE C-1 BNF Rules for Access Control Statements

acl_def = "acl" acl_name "{" 1*source "}"

source = host_name [ nummask ] ";"

host_name = ip4addr | ip6addr | dnsname | "any"

nummask = "/" decnumber

ip4addr = "ip4" hostnum "." hostnum "." hostnum "." hostnum

ip6addr = "ip6" ipv6_address

hostnum = digit [ digit [ digit ] ]

decnumber = digit [ decnumber ]

digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9"

dnsname = "host" "'" hostname_string "'"

rule = [ "final" ] "access" uri "protocol" 1#protocols

       "method" 1#methods  "{" 1*control "}"

uri = "uri" "'" uri_regexp "'" | "group" uri_group_name

uri_group = "uri_group" uri_group_name "{" 1*group_def "}"

group_def = "uri" "'" uri_regexp "'" ";"

control = ( "allow" | "deny" ) ( acl_name | "any" ) [ "final" ] ";"

protocols = "http" | "https" | "any"

methods = "get" | "post" | "put" | "any"

config = *acl *uri_group *rule

The following tokens are not defined using BNF notation:

hostname_string - Domain Name System (DNS) host name that allows the user of asterisks (*) for ambiguous comparison, for example, *.sun.com or cds*.sun.com.

ipv6_address - RFC 2373 compliant IPV6 address, which is described at http://rfc.net/rfc2373.html.

Both compressed and full forms are supported, for example:

# 12AB:0000:0000:CD30:0000:0000:0000:0000 OR

# 12AB::CD30:0:0:0:0

# 12AB:0:0:CD30::

uri_regexp - regular expression that is used to match a request URI

The URI that is passed to the filter is always a full URI, such as /admin/main or /developer/submit_form. No names or query parameters are entered. The following statements are examples of a URIs expressed as regular expressions:

/.*

/admin/main/$

acl_name and uri_group_name - string literals

Names can contain alphabetic characters, numbers, or underscores (_), and must not start with a number. String literals used in the configuration definition cannot be used as names.