test

Sun Java System Web Server 6.1 SP7 Administrator's Guide

Setting Access Control

This section describes the process of restricting access to the files or directories on your web site. You can set global access control rules for all servers, and also individually for specific servers. For instance, a human resources department might create ACLs allowing all authenticated users to view their own payroll data, but restrict access to updating data to only human resource personnel responsible for payroll.

You can set access control globally for all servers through the Administration Server. Each option is described in detail in the following section, Selecting Access Control Options.

Note –

Distributed administration must be configured and activated before global access control can be configured.

ProcedureTo set access control globally

To configure or edit access control globally for all servers, perform the following steps:

  1. Access the Administration Server and choose the Global Settings tab.

  2. Click the Restrict Access link.

  3. Select the administration server (https-admserv) from the drop-down list.

  4. Click Create ACL, Select Go button.

    The Access Control Rules for uri=/https-admserv/ page appears:

    Figure 9–2 Access Control Rules Page

    Access Control Rules Page

    The Administration Server has two lines of default access control rules which cannot be edited.

  5. Select the Access control is On option , if it is not already selected.

  6. To add a default ACL rule to the bottom row of the table, click the New Line button.

    To swap an access control restriction with the access control restriction preceding it, click the up arrow icon.

    To swap an access control restriction with the access control restriction following it, click the down arrow icon.

  7. Click on the Anyone field in the Users/Groups column.

    The User/Group page appears.

    Figure 9–3 User/Group Page

    User/Group Page

  8. Select the users and groups to configure access to and click Update.

    Click List for Group and User to provide lists for you to choose from.

  9. Click on the Anyplace field in the From Host column.

  10. Enter Host Names and IP Addresses that are allowed access and click Update.

  11. Click All Programs in the Programs window.

    Figure 9–4 Programs Page

    Programs Page

  12. Select the Program Groups or enter the specific file name in the Program Items field you will allow access to, and click Update.

  13. (Optional) Click the x under the Extra column to add a customized ACL expression.

  14. Click the Continue column, if it isn’t already selected as the default.

    The server will evaluate the next line before determining if the user is allowed access. When creating multiple lines, work from the most general restrictions to the most specific ones.

  15. (Optional) Click Response when denied to direct the user to a different URL or URI.

  16. Enter the path to the absolute URL or a relative URI and click update.

  17. Click Submit to store the new access control rules in the ACL file.

    Note –

    Clicking Revert will remove all of the settings you’ve just created.

ProcedureTo set access control for a server instance

You can create, edit, or delete access control for a specific server instance using the Server Manager.

Note –

While deleting you should not delete all the ACL rules from the ACL files. At least one ACL file containing a minimum of one ACL rule is required to start the server. Deleting all ACL rules and restarting the server will result in a syntax error.

To create access control for a server instance, perform the following steps:

  1. Access the Server Manager and select the server instance you wish to create or edit ACLs for.

  2. Choose the Preferences tab from the Server Manager.

  3. Click the Restrict Access link.

  4. From the Option column choose one of the following:

    • Add and enter the ACL file location

      • Edit and select the ACL file from the drop-down menu

      • Delete from the drop-down menu and select the ACL file

        The Access Control List Management Page with three options appears:

    Figure 9–5 Access Control List Management Page

    Access Control List Management Page

  5. Select one of the following:

    • Pick a resource to specify a wildcard pattern for files or directories (such as *.html), choose a directory or a filename to restrict, or browse for a file or directory.

    • Pick an existing ACL to select from a list of all the ACLs you have enabled. Existing ACLs you have not enabled will not appear in this list.

    • Enter the ACL name allows to create named ACLs. Use this option only if you’re familiar with ACL files. You’ll need to manually edit the obj.conf file if you want to apply named ACLs to resources.

      Table 8-2 describes the resource wildcards you can use.

      Resource wildcard  

      What it means  

      default 

      A named ACL created during installation that restricts write access so only users in the LDAP directory can publish documents. 

      Entire Server 

      One set of rules determines the access to your entire web site, including any virtual servers you have running. To restrict access to a virtual server, specify the path of its document root. 

      /usr/sun/server4/docs/cgi-bin/*

      Controls access to all files and directories in the cgi-bin directory. You must specify an absolute path. On Windows, the path must include the drive letter.

      uri=“/sales”

      Controls access to the sales directory in the document root. To specify URIs, create a named ACL.

  6. Click Edit Access Control.

    The Access Control Rules for: (server instance) appears.

    Figure 9–6 Access Control Rules Page

    Access Control Rules Page

  7. Select Access control is on, if it is not already selected.

  8. To configure or edit the ACL for this server instance, click Deny in the Action column.

  9. Select Allow, if it isn’t already selected as the default, and click Update.

  10. Click on the Anyone field in the Users/Groups column.

    The User/Group page appears in the lower frame:

    Figure 9–7 User/Group Page

    User/Group Page

  11. Select which users and groups you will allow access to and click Update.

    Clicking List for Group and User provide lists for you to choose from.

  12. Click on anyplace in the From Host column.

  13. Enter Host Names and IP Addresses allowed access and click Update.

  14. Click on All field in the Rights column.

  15. Select one of the following and then click Update:

    • All Access Rights

    • Only the following rights and check all appropriate rights for this user

  16. (Optional) Click the x under the Extra column to add a customized ACL expression.

  17. Put a check in the Continue column, if it isn’t already selected as the default.

    The server evaluates the next line before determining if the user is allowed access. When creating multiple lines, starts with the most general restrictions to the more specific ones.

  18. (Optional) Click Response when denied to direct the user to a different URL or URI.

  19. Enter the path to the absolute URL or a relative URI and click update.

  20. Click Submit to store the new access control rules in the ACL file.

    Note –

    Clicking Revert will remove all of the settings you’ve just created.

  21. Repeat all steps above for each server instance you wish to establish access control for.

  22. When finished, click Apply.

  23. Select Hard Start/Restart or Dynamically Apply.

    ACL settings can also be enabled for each virtual server. For more information, see Accessing Databases from Virtual Servers.