Access Control Definition

The access_control.config file in the $CDS_HOME/deployment/deployment-name/conf directory is used to determine when access to the Content Delivery Server components is allowed. This section uses BNF notation to describe the statements used in the access control file. A description of this notation can be found at http://rfc.net/rfc2234.html.

The access control file contains access control lists, URI groups, and rules. The following code sample shows an example of each of these types of statements.

acl sun {
    host '*.sun.com';
    ip6 ::1;
}
 
uri_group vending_service {
    uri '/vsadmin/main/sync_to_catalog.*';
    uri '/subscriber/mo_push.*';
}
 
access uri '/.*' protocol any method any {
    deny any;
}
 
final access group vending_service protocol any method any {
    allow sun;
}

CODE EXAMPLE B-1 BNF Rules for Access Control Statements
acl_def = “acl” acl_name “{“ 1source “}” source = host_name [ nummask ] “;” host_name = ip4addr \| ip6addr \| dnsname \| “any” nummask = “/” decnumber ip4addr = “ip4” hostnum “.” hostnum “.” hostnum “.” hostnum ip6addr = “ip6” ipv6_address hostnum = digit [ digit [ digit ] ] decnumber = digit [ decnumber ] digit = “0” \| “1” \| “2” \| “3” \| “4” \| “5” \| “6” \| “7” \| “8” \| “9” dnsname = “host” “'” hostname_string “'” rule = [ “final” ] “access” uri “protocol” 1#protocols “method” 1#methods “{“ 1control “}” uri = “uri” “'” uri_regexp “'” \| “group” uri_group_name uri_group = “uri_group” uri_group_name “{“ 1group_def “}” group_def = “uri” “'” uri_regexp “'” “;” control = ( “allow” \| “deny” ) ( acl_name \| “any” ) [ “final” ] “;” protocols = “http” \| “https” \| “any” methods = “get” \| “post” \| “put” \| “any” config = acl uri_group rule

CODE EXAMPLE B-1 BNF Rules for Access Control Statements

acl_def = “acl” acl_name “{“ 1*source “}”
 
source = host_name [ nummask ] “;”
host_name = ip4addr | ip6addr | dnsname | “any”
 
nummask = “/” decnumber
 
ip4addr = “ip4” hostnum “.” hostnum “.” hostnum “.” hostnum
ip6addr = “ip6” ipv6_address
 
hostnum = digit [ digit [ digit ] ]
 
decnumber = digit [ decnumber ]
 
digit = “0” | “1” | “2” | “3” | “4” | “5” | “6” | “7” | “8” | “9”
 
dnsname = “host” “'” hostname_string “'”
 
rule = [ “final” ] “access” uri “protocol” 1#protocols
       “method” 1#methods  “{“ 1*control “}”
 
uri = “uri” “'” uri_regexp “'” | “group” uri_group_name
 
uri_group = “uri_group” uri_group_name “{“ 1*group_def “}”
group_def = “uri” “'” uri_regexp “'” “;”
 
control = ( “allow” | “deny” ) ( acl_name | “any” ) [ “final” ] “;”
 
protocols = “http” | “https” | “any”
 
methods = “get” | “post” | “put” | “any”
 
config = *acl *uri_group *rule

# 12AB:0000:0000:CD30:0000:0000:0000:0000 OR
# 12AB::CD30:0:0:0:0
# 12AB:0:0:CD30::

The URI that is passed to the filter is always a full URI, such as /admin/main or /developer/submit_form. No names or query parameters are entered. The following statements are examples of a URIs expressed as regular expressions:

Names can contain alphabetic characters, numbers, or underscores (_), and must not start with a number. String literals used in the configuration definition cannot be used as names.