Sun Java System Web Server 6.1 SP10 Getting Started Guide

Chapter 3 Enabling Access Control

Every virtual server hosts one or more web sites. By default, you can access all the content on each web site. Sometimes, such unrestricted access might not be desirable and you might want to protect parts of your web site from unauthorized access. You can do so by setting up access control on your server.

Access control is a way of specifying who can access resources such as directories and files on your server, and what access they can have. You can allow or deny access to specified users and groups using ACLs (Access Control Lists).

There are two types of access control:

Setting up Native Access Control

This section describes basic tasks associated with setting up native access control. Native access control provides authenticated access for both Java-based and non-Java applications. However, if you plan to deploy Java web applications, you can leverage the benefits of Java-based security realms. The various aspects of Java security constraints are outside the scope of this guide but are discussed in detail in the Sun Java System Web Server 6.1 Programmer’s Guide to Web Applications.

For more information on the various aspects of Java security, see Sun Java System Web Server 6.1 SP10 Programmer’s Guide to Web Applications.

Here is a simple exercise that illustrate how a native ACL is configured. To use a combination of host-based and user-based access control perform the following tasks:

Consider that you want to allow access to all files under /hr/publish/manager to a user named “manager” at Acme Corp. To use user-based access control (in addition to host-based access control), create a directory service

Since you use you first need to .

ProcedureTo create a directory service

A directory service allows you to authenticate and authorize users and groups. You can configure a directory service in one of the following ways:

In this example, we will set up user information in a file.

  1. Access the Administration Server and choose the Global Settings tab.

  2. Click the Configure Directory Service link.

  3. From the Create New Service of Type drop-down list, choose Key File as the type of directory service. This is a text file that contains the user’s password and the list of groups to which the user belongs.

    Figure 3–1 Creating New Directory Service Type

    Creating new Directory Service type

  4. Click New.

  5. Specify keyfile1 as the Directory Service ID and HRAuthFile as the name of the file, as shown below:

    Figure 3–2 Configuring Directory Service Type

    Configuring Directory Service Type

  6. Click Save Changes.

  7. Restart the server for the changes to take effect.

ProcedureTo add a user

We start with creating a user ID called “manager.” This will represent the person who needs to have access to all the files in /hr/publish/manager .

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Click New User.

  3. Select “HRAuthFile” from the Select Directory service drop-down list and click Select.

  4. Enter the required information, as shown below:

    Figure 3–3 Creating a New user

    Creating a new user

  5. Click Create User.

    A new user is added to the file: HRAuthFile.

    Next, you need to associate our virtual server,, with the directory service we’ve created.

ProcedureTo specify a directory service for a virtual server

  1. Access the Virtual Server Manager and click the Settings link to display the Settings page for the virtual server,

    Figure 3–4 Specifying Directory Service

    Specifying Directory Service

  2. Click the Edit link next to the Directory Services setting.

  3. Select keyfile1 in the Pick Directory Services for Virtual Server page as shown below:

    Figure 3–5 Editing Directory Service

    Editing Directory Service

  4. Click OK and then Apply to save and apply your changes.

    Now you can specify the required access control rules.

ProcedureTo set access control

Start by creating an ACL for the virtual server .

  1. Access the Server Manager and choose the Preferences tab.

  2. Click the Restrict Access link.

  3. Under the Option column, select the ACL file. We choose the default file in our example and click OK.

    Figure 3–6 Access Control List Management Page

    Access Control List Management Page

  4. Select Pick a Resource and then specify the following wildcard pattern to control access to all files in the /hr/publish/manager directory :


  5. Click the Edit Access Control button.

  6. Check the “Access control is on” checkbox and click the New Line button.

    Figure 3–7 Editing the Access Control

    Editing the Access Control

  7. Click on Deny in the second row of the Action column.

    This opens the Allow /Deny page in the lower frame of Figure 3-8: Restricting Access Control

    Figure 3–8 Restricting Access Control

    Restricting Access Control

  8. Click Allow, if not selected by default, and then click Update.

  9. Click on “anyone” in the Users/Groups column, in the top frame.

  10. Enter “manager” as the user you will allow access to, and keyfile1 as the authentication database, in the User/Group page that appears in the lower frame of Figure 3-9: Access Control for User and User Groups

    Figure 3–9 Access Control for User and User Groups

    Access Control for user and user groups

  11. Click Update.

  12. Click Submit to store the new access control rules in the ACL file.

  13. Click Apply Changes and save and apply the changes that you have made.

    Once an ACL is set users accessing the site will be required to authenticate themselves before they are allowed access, as shown below:

    Figure 3–10 User Authentication Page

    User authentication page