当服务器收到页面请求时,它会使用 ACL 文件中的规则来确定是否应当授予访问权限。这些规则可以引用发送该请求的计算机的主机名或 IP 地址,还可以引用 LDAP 目录中存储的用户和组。
以下示例显示了 ACL 文件可能包含的内容,并提供了访问控制规则示例。
version 3.0; # The following "es-internal" rules protect files such # as icons and images related to Sun Java System Web Proxy Server. # These "es-internal" rules should not be modified. acl "es-internal"; allow (read, list, execute,info) user = "anyone"; deny (write, delete) user = "anyone"; # The following rules deny access to the directory "web" # to everyone not in the directory server and deny everyone # in the directory server who is not in GroupB. # Only the users in GroupB are allowed read, execute, list, # and info permissions. GroupA cannot gain access to the # directory "web" even though (in the ACL rule below) they # can access the directory "my_stuff". Furthermore, members # of GroupB cannot write or delete files. acl "path=/export/user/990628.1/docs/my_stuff/web/"; authenticate (user,group) { database = "default"; method = "basic"; }; deny (all) (user = "anyone"); allow (read,execute,list,info) (group = "GroupB"); # The following rule denies everyone not in the directory # server and denies everyone in the directory server except # users with the ID of "SpecificMemberOfGroupB". The ACL rule # in this setting also has a requirement that the user # connect from a specific IP address. The IP address setting # in the rule is optional, and has been added for extra # security. Also, this ACL rule has a Customized prompt # of "Presentation Owner". This Customized prompt appears # in the username and password dialog box in the client’s # browser. acl "path=/export/user/990628.1/docs/my_stuff/web/presentation.html"; authenticate (user,group) { database = "default"; method = "basic"; prompt = "Presentation Owner"; }; deny (all) (user = "anyone" or group = "my_group"); allow (all) (user = "SpecificMemberOfGroupB") and (ip = "208.12.54.76"); # The following ACL rule denies everyone not in the directory # server and everyone in the directory server except for # GroupA and GroupB access to the directory "my_stuff" acl "path=/export/user/990628.1/docs/my_stuff/"; authenticate (user,group) { database = "default"; method = "basic"; }; deny (all) (user = "anyone"); allow (read,execute,list,info) (group = "GroupA,GroupB"); |
例如,如果用户请求 URL http://server_name/my_stuff/web/presentation.html,Proxy Server 首先将检查整个服务器的访问控制。如果整个服务器的 ACL 被设置为 "Continue",服务器将检查目录 my_stuff 的 ACL。如果存在某个 ACL,服务器将检查该 ACL 中的 ACE,然后移动到下一个目录。此过程将继续,直至找到的某个 ACL 拒绝了访问,或到达所请求的 URL(在本例中是文件 presentation.html)的最后的 ACL。
要使用 Server Manager 设置本例的访问控制,可以仅为此文件创建一个 ACL,也可以为此文件中引用的每个资源创建一个 ACL(即,一个用于整个服务器,一个用于 my_stuff 目录,一个用于 my_stuff/web 目录,一个用于此文件)。
如果有多个匹配的 ACL,服务器将使用最后一个匹配的 ACL 语句。