當伺服器收到對某個網頁的請求時,它會使用 ACL 檔案中的規則來判斷是否應授予存取權。這些規則可以參照傳送請求的電腦主機名稱或 IP 位址。還可以參照儲存在 LDAP 目錄中的使用者和群組。
下列範例顯示 ACL 檔案可能包含的內容,並提供存取控制規則範例。
version 3.0; # The following "es-internal" rules protect files such # as icons and images related to Sun Java System Web Proxy Server. # These "es-internal" rules should not be modified. acl "es-internal"; allow (read, list, execute,info) user = "anyone"; deny (write, delete) user = "anyone"; # The following rules deny access to the directory "web" # to everyone not in the directory server and deny everyone # in the directory server who is not in GroupB. # Only the users in GroupB are allowed read, execute, list, # and info permissions. GroupA cannot gain access to the # directory "web" even though (in the ACL rule below) they # can access the directory “my_stuff”. Furthermore, members # of GroupB cannot write or delete files. acl "path=/export/user/990628.1/docs/my_stuff/web/"; authenticate (user,group) { database = "default"; method = "basic"; }; deny (all) (user = "anyone"); allow (read,execute,list,info) (group = "GroupB"); # The following rule denies everyone not in the directory # server and denies everyone in the directory server except # users with the ID of "SpecificMemberOfGroupB". The ACL rule # in this setting also has a requirement that the user # connect from a specific IP address. The IP address setting # in the rule is optional, and has been added for extra # security. Also, this ACL rule has a Customized prompt # of "Presentation Owner". This Customized prompt appears # in the username and password dialog box in the client’s # browser. acl "path=/export/user/990628.1/docs/my_stuff/web/presentation.html"; authenticate (user,group) { database = "default"; method = "basic"; prompt = "Presentation Owner"; }; deny (all) (user = "anyone" or group = "my_group"); allow (all) (user = "SpecificMemberOfGroupB") and (ip = "208.12.54.76"); # The following ACL rule denies everyone not in the directory # server and everyone in the directory server except for # GroupA and GroupB access to the directory “my_stuff” acl "path=/export/user/990628.1/docs/my_stuff/"; authenticate (user,group) { database = "default"; method = "basic"; }; deny (all) (user = "anyone"); allow (read,execute,list,info) (group = "GroupA,GroupB"); |
例如,如果使用者請求 URL http://server_name/my_stuff/web/presentation.html,Proxy Server 便會先檢查對整個伺服器的存取控制。如果整個伺服器的 ACL 設定為 [Continue],則伺服器會檢查 my_stuff 目錄中有無 ACL。如果有 ACL 存在,伺服器便會檢查該 ACL 內的 ACE,然後檢查下一個目錄。此程序持續到找出拒絕存取的 ACL 為止,或者到達所請求 URL 的最後一個 ACL 為止,在本例中是到達 presentation.html 檔案。
若要使用 Server Manager 設定對此範例的存取控制,您可以只針對該檔案建立一個 ACL,或針對指向該檔案的每項資源各建立一個 ACL,亦即整個伺服器一個 ACL、my_stuff 目錄一個 ACL、my_stuff/web 目錄一個 ACL,以及該檔案一個 ACL。
如果有一個以上相符的 ACL 存在,則伺服器會使用相符的最後一個 ACL 敘述。