test

Sun Java System Web Server 6.1 SP12 Administrator's Guide

Securing Access Control With Distributed Administration

This section lists the additional tasks you must perform in order to secure access control with the Sun Java System Web Server 6.1, after enabling distributed administration.

Securing Access to Resources

The order in which the PathCheck directive occurs in the https-server-id object tag in the generated.https-server-id.acl file might grant undesired access to resources. To prevent unauthorized access, edit the <server-root>/generated.https-server-id.acl file, specifying a comma-separated list of program groups for which access control is required, as shown below:

Below the line:

allow (all)

user=<username> and program=<program group, program group...>;

add the following line:

deny absolute (all)

user=<username> and program!=<program group, program group...>;

Securing Access to Server Instances

To configure the Sun Java System Web Server 6.1 to control access to server instances, edit the <server-root>/httpacl/*.https-admserv.acl files to specify the user to whom you want to grant access control privileges. Example:

acl "https-<instance>";

authenticate (user,group) {

database = "default";

method = "basic";

};

deny absolute (all) user != "UserA";

Enabling IP-based Access Control

If the access control entry that refers to the ip attribute is located in the Administration Server related ACL files (gen*.https-admserv.acl), then complete steps (1) and (2) below.

If the access control entry that refers to the ip attribute is located in the ACL files related to a server instance, then complete only step (1) below for that particular ACL.

ProcedureTo enable IP-based access control

  1. Edit the <server-root>/httpacl/gen*.https-admserv.acl files to add ip to the authentication list, in addition to user and group, as shown below:

    acl "https-admserv";

    authenticate (user,group,ip) {

    database = "default";

    method = "basic";

    };

  2. Add the following access control entry:

    deny absolute (all) ip !="ip_for_which_access_is_allowed";

    Example:

    acl "https-admserv";

    authenticate (user,group,ip) {

    database = "default";

    method = "basic";

    };

    deny absolute (all) ip !="205.217.243.119";