Sun Java System Web Server 7.0 Update 4 Administrator's Guide

Setting Up Access Control for User-Group

You can limit access to web server to certain users or groups. User-Group access control requires users to enter a username and password before gaining access to the server. The server compares the information in a client certificate with a directory server entry.

The Administration Server uses only the basic authentication. If you wish to require client authentication on your Administration Server, you must manually edit the ACL files changing the method to SSL.

User-Group authentication is performed by Web Server by reading entries in the user group database. The information that a directory service uses to implement access control can come from either of the following sources:

When the server uses an external LDAP-based directory service, it supports the following types of User-Group authentication methods for server instances:

When the server uses an internal file-based directory service, the User-Group authentication methods for server instances it supports are:

User-Group authentication requires users to authenticate themselves before gaining access to the server, or the files and directories on your web site. The authentication process involves users verifying their identity by entering a username and password, using a client certificate. Client certificates are required only for SSL communication.

Default Authentication

Default authentication is the preferred method of authentication. The Default setting uses the default method in the server.xml file, or “Basic” if there is no setting in server.xml. If you check Default, the ACL rule doesn’t specify a method in the ACL file. Choosing Default enables you to easily change the methods for all ACLs by editing one line in the obj.conf file.

Basic Authentication

Basic authentication requires users to enter a username and password to access your web server or web site. Basic authentication is the default setting and in order to use it, you must create and store a list of users and groups in an LDAP database, such as the Sun Java System Directory Server, or in a file. You must use a directory server installed on a different server root than your web server, or a directory server installed on a remote machine.

When users attempt to access a resource that has User-Group authentication in the Administration Server or on your web site, the web browser displays a dialog box asking the user to enter a username and password. The server receives this information encrypted or unencrypted, depending on whether encryption is turned on for your server.

Note –

Using Basic Authentication without SSL encryption, sends the username and password in un-encrypted text across the network and means that the network packets could be intercepted, and the username and password can be pirated. Basic authentication is most effective when combined with SSL encryption, Host-IP authentication, or both. Using Digest Authentication avoids this problem.

SSL Authentication

The server can confirm users’ identities with security certificates in two ways:

When you set the server to use certificate information for authenticating the client, the server:

Requiring client authentication to control access to specific resources differs from requiring client authentication for all connections to the server. If you set the server to require client authentication for all connections, the client only needs to present a valid certificate issued by a trusted CA. If you set the server’s access control to use the SSL method for authentication of users and groups, the client will need to:

When you require client authentication with access control, you need to have SSL ciphers enabled for your web server.

In order to successfully gain access to an SSL authenticated resource, the client certificate must be from a CA trusted by the web server. The client certificate needs to be published in a directory server if the web server’s certmap.conf file is configured to compare the client’s certificate in the browser with the client certificate in the directory server. However, the certmap.conf file can be configured to only compare selected information from the certificate to the directory server entry. For example, you could configure the certmap.conf file to only compare the user ID and email address in the browser certificate with the directory server entry.

Note –

Only the SSL authentication method requires modification to the certmap.conf file, because the certificate is checked against the LDAP directory. Requiring client authentication for all connections to the server does not require modification to the certmap.conf file. If you choose to use client certificates, you should increase the value of the AcceptTimeout directive in the magnus.conf file.

Digest Authentication

The server can be configured to perform digest authentication using either an LDAP-based or a file-based directory service.

Digest authentication enables the user to authenticate based on username and password without sending the username and password as cleartext. The browser uses the MD5 algorithm to create a digest value using the user’s password and some information provided by the Web Server.

When the server uses an LDAP-based directory service to perform digest authentication, this digest value is also computed on the server side using the Digest Authentication plug-in, and compared against the digest value provided by the client. If the digest values match, the user is authenticated. In order for this to work, your directory server needs access to the user’s password in cleartext. Sun Java System Directory Server includes a reversible password plug-in using a symmetric encryption algorithm to store data in an encrypted form, that can later be decrypted to its original form. Only the Directory Server holds the key to the data.

For LDAP-based digest authentication, you need to enable the reversible password plug-in and the digestauth-specific plug-in included with the server. To configure your web server to process digest authentication, set the digestauth property of the database definition in dbswitch.conf.

If you do not specify an ACL method, the server will use either digest or basic when authentication is required, or basic if authentication is not required. This is the preferred method.

Table 7–1 Digest Authentication Challenge Generation

ACL Method  

Digest Authentication Supported by Authentication Database  

Digest Authentication Not Supported by Authentication Database  


none specified 

digest and basic 








When processing an ACL with method = digest, the server attempts to authenticate by: