Limiting Access to Areas of Your Server

This section describes commonly used access restrictions to a web server. The steps for each procedure detail the specific actions you need to take. You still need to complete all the steps described under Setting Access Control.

The following procedures are described in this section:

• Restricting Access to the Entire Server

• Restricting Access to a Directory (Path)

• Restricting Access to a URI (Path)

• Restricting Access to a File Type

• Restricting Access Based on Time of Day

• Restricting Access Based on Time of Day

Restricting Access to the Entire Server

You may wish to allow access to users in a group called who access the server from computers in a subdomain. For instance, you may have a server for a company department that you only want users to access from computers in a specific subdomain of your network.

To set access control for a server instance

1. Use the Server Manager to select the server instance.

2. Choose the Preferences tab.

3. Click the Restrict Access link.

4. Choose the ACL file to edit.

5. Pick the entire server resource, and click Edit Access Control.

6. Add a new rule to deny access to all.

7. Add another new rule to allow access to a specific group.

8. Enter a wildcard pattern for the host names of the computers to be allowed.

   For example, *.employee.sun.com

9. Deselect Continue.

10. Submit and Apply your changes.

Restricting Access to a Directory (Path)

You can allow users in a group to read or run applications in directories, and its subdirectories and files, that are controlled by the owner of a group. For example, a project manager might update status information for a project team to review.

To limit access to a directory on the server, using the steps described for setting access control for a server instance, perform the following task:

To limit access to a directory on the server

1. Use the Server Manager to select the server instance.

2. Choose the Preferences tab.

3. Click the Restrict Access link.

4. Choose the ACL File to edit.

5. Browse the Pick a Resource section and select the directory you want to restrict.

   The directories in the server’s document root are displayed. Once selected, the Editing drop-down list displays the absolute path to the directory.

   ---

   Note –

   If you want to view all files in your server root, click Options and then List files as well as directories.

   ---

6. Click Edit Access Control.

7. Create a new rule and leave the defaults to deny access to everyone from everywhere.

8. Create another new rule allowing users in a specific group to have read and execute rights only.

9. Create a third rule to allow a specific user to have all rights.

10. Deselect Continue for the second and third lines and click Update.

11. Submit and Apply your changes.

    An absolute path to the file or directory is created in the docrootdirectory. The entry in the ACL file would appear as: acl “path=d:\sun\suitespot\docroot1\sales/”;

Restricting Access to a URI (Path)

You can use a URI to control access to a single user’s content on the web server. URIs are paths and files relative to the server’s document root directory. Using URIs is an easy way to manage your server’s content if you frequently rename or move all or part of it (for example, for disk space). This is also a good method to handle access control if you have additional document roots.

To limit access to a URI, using the steps described for setting access control for a server instance, you would:

To limit access to a URL

1. Use the Server Manager to select the server instance.

2. Choose the Preferences tab.

3. Click the Restrict Access link.

4. Enter the URI you want to restrict in the Type in the ACL name section.

   For example: uri=/my_directory.

5. Click Edit Access Control.

6. Create a new rule to allows all users read access.

7. Create another new rule to allow access for the owner of the directory.

8. Deselect Continue for both the first and second rules.

9. Click Submit and Apply your changes.

   A path for the URI is created relative to the document root. The entry in the ACL file would appear as follows: acl “uri=/my_directory”;

Restricting Access to a File Type

You can limit access to file types on your server or web site. For example, you might wish to allow only specific users to create programs that run on your server. Anyone would be able to run the programs, but only specified users in the group would be able create or delete them.

To limit access to a file type, using the steps described for setting access control for a server instance, you would:

To limit access to a file type

1. Use the Server Manager to select the server instance.

2. Choose the Preferences tab.

3. Click the Restrict Access link.

4. Click Wildcard in the Pick a resource section and enter a wildcard pattern.

   For example, *.cgi.

5. Click Edit Access Control.

6. Create a new rule to allow read access to all users.

7. Create another rule that allows write and delete access only to a specific group.

8. Submit and Apply your changes.

   For file type restriction, leave both continue boxes checked. If a request for a file comes in, the server will then check the ACL for the file type first.

   A Pathcheck function is created in the obj.conf file that might include wildcard patterns for files or directories. The entry in the ACL file would appear as follows: acl “*.cgi”;

Restricting Access Based on Time of Day

You can restrict write and delete access to the server during specified hours or on specified days. You might use this option to prevent people from publishing documents during working hours when people might be accessing the files.

To limit access based on time of day, complete the following task:

To limit access based on time of day

1. Use the Server Manager to select the server instance.

2. Choose the Preferences tab.

3. Click the Restrict Access link.

4. Select the entire server from the drop-down list in Pick a Resource and click Edit Access Control.

5. Create a new rule allowing read and execute rights to all.

   If a user wants to add, update, or delete a file or directory, this rule will not apply and the server searches for another rule that matches.

6. Create another new rule denying write and delete rights to all.

7. Click X link to create a customized expression.

8. Enter the days of the week and the times of day to be allowed.

   For example:

   user = "anyone" anddayofweek = "sat,sun" or(timeofday >= 1800 andtimeofday <= 600)

   The message “Unrecognized expressions” is displayed in the Users/Groups and From Host fields when you create a custom expression.

9. Submit and Apply your changes.

   Any errors in the custom expression will generate an error message. Make corrections and submit again.

To restrict access based on security

As of Sun Java System Web Server 6.1 you can configure SSL and non-SSL listen sockets for the same server instance. Restricting access based on security allows you to create protection for resources that should only be transmitted over a secure channel.

To limit access based on security, using the steps described for setting access control for a server instance, you would:

1. Use the Server Manager to select the server instance.

2. Choose the Preferences tab.

3. Click the Restrict Access link.

4. Select the entire server from the drop-down list in Pick a Resource and click Edit Access Control.

5. Create a new rule allowing read and execute rights to all.

   If a user wants to add, update, or delete a file or directory, this rule will not apply and the server will searches for another rule that matches.

6. Create a new rule denying write and delete rights to all.

7. Click X link to create a customized expression.

8. Enter ssl=”on”.

   Example:

   user = "anyone" and ssl=”on”

9. Submit and Apply your changes.

   Any errors in the custom expression generates an error message. Make the necessary corrections and submit your changes again.

Securing Access Control With Distributed Administration

This section lists the additional tasks you must perform in order to secure access control with the Sun Java System Web Server 6.1, after enabling distributed administration.

• Securing Access to Resources

• Securing Access to Server Instances

• Enabling IP-based Access Control

Securing Access to Resources

The order in which the PathCheck directive occurs in the https-server-id object tag in the generated.https-server-id.acl file might grant undesired access to resources. To prevent unauthorized access, edit the <server-root>/generated.https-server-id.acl file, specifying a comma-separated list of program groups for which access control is required, as shown below:

Below the line:

allow (all)

user=<username> and program=<program group, program group...>;

add the following line:

deny absolute (all)

user=<username> and program!=<program group, program group...>;

Securing Access to Server Instances

To configure the Sun Java System Web Server 6.1 to control access to server instances, edit the <server-root>/httpacl/*.https-admserv.acl files to specify the user to whom you want to grant access control privileges. Example:

acl "https-<instance>";

authenticate (user,group) {

database = "default";

method = "basic";

};

deny absolute (all) user != "UserA";

Enabling IP-based Access Control

If the access control entry that refers to the ip attribute is located in the Administration Server related ACL files (gen*.https-admserv.acl), then complete steps (1) and (2) below.

If the access control entry that refers to the ip attribute is located in the ACL files related to a server instance, then complete only step (1) below for that particular ACL.

To enable IP-based access control

1. Edit the <server-root>/httpacl/gen*.https-admserv.acl files to add ip to the authentication list, in addition to user and group, as shown below:

   acl "https-admserv";

   authenticate (user,group,ip) {

   database = "default";

   method = "basic";

   };

2. Add the following access control entry:

   deny absolute (all) ip !="ip_for_which_access_is_allowed";

   Example:

   acl "https-admserv";

   authenticate (user,group,ip) {

   database = "default";

   method = "basic";

   };

   deny absolute (all) ip !="205.217.243.119";