Chapter 3 Enabling Access Control

Every virtual server hosts one or more web sites. By default, you can access all the content on each web site. Sometimes, such unrestricted access might not be desirable and you might want to protect parts of your web site from unauthorized access. You can do so by setting up access control on your server.

Access control is a way of specifying who can access resources such as directories and files on your server, and what access they can have. You can allow or deny access to specified users and groups using ACLs (Access Control Lists).

There are two types of access control:

• Host-based access control. This enables you to control access according to specific computers. You can identify the computer by either IP address or host name. Clients accessing your site from a permitted computer are allowed access to resources.

• User-based access control. This offers more security than computer-based access because clients must supply a valid username and password before they can access your site. If you want to use user-based access control, you need to set up user and group accounts first.

Setting up Native Access Control

This section describes basic tasks associated with setting up native access control. Native access control provides authenticated access for both Java-based and non-Java applications. However, if you plan to deploy Java web applications, you can leverage the benefits of Java-based security realms. The various aspects of Java security constraints are outside the scope of this guide but are discussed in detail in the Sun Java System Web Server 6.1 Programmer’s Guide to Web Applications.

For more information on the various aspects of Java security, see Sun Java System Web Server 6.1 SP12 Programmer’s Guide to Web Applications.

Here is a simple exercise that illustrate how a native ACL is configured. To use a combination of host-based and user-based access control perform the following tasks:

• To create a directory service

• To add a user

• To specify a directory service for a virtual server

• To set access control

Consider that you want to allow access to all files under /hr/publish/manager to a user named “manager” at Acme Corp. To use user-based access control (in addition to host-based access control), create a directory service

Since you use you first need to .

To create a directory service

A directory service allows you to authenticate and authorize users and groups. You can configure a directory service in one of the following ways:

• Set up user information in a file

• Obtain user information from an LDAP server

In this example, we will set up user information in a file.

1. Access the Administration Server and choose the Global Settings tab.

2. Click the Configure Directory Service link.

3. From the Create New Service of Type drop-down list, choose Key File as the type of directory service. This is a text file that contains the user’s password and the list of groups to which the user belongs.

   Figure 3–1 Creating New Directory Service Type

   
   

4. Click New.

5. Specify keyfile1 as the Directory Service ID and HRAuthFile as the name of the file, as shown below:

   Figure 3–2 Configuring Directory Service Type

   
   

6. Click Save Changes.

7. Restart the server for the changes to take effect.

To add a user

We start with creating a user ID called “manager.” This will represent the person who needs to have access to all the files in /hr/publish/manager .

1. Access the Administration Server and choose the Users & Groups tab.

2. Click New User.

3. Select “HRAuthFile” from the Select Directory service drop-down list and click Select.

4. Enter the required information, as shown below:

   Figure 3–3 Creating a New user

   
   

5. Click Create User.

   A new user is added to the file: HRAuthFile.

   Next, you need to associate our virtual server, hr.acme.com, with the directory service we’ve created.

To specify a directory service for a virtual server

1. Access the Virtual Server Manager and click the Settings link to display the Settings page for the virtual server, hr.acme.com.

   Figure 3–4 Specifying Directory Service

   
   

2. Click the Edit link next to the Directory Services setting.

3. Select keyfile1 in the Pick Directory Services for Virtual Server page as shown below:

   Figure 3–5 Editing Directory Service

   
   

4. Click OK and then Apply to save and apply your changes.

   Now you can specify the required access control rules.

To set access control

Start by creating an ACL for the virtual server hr.acme.com .

1. Access the Server Manager and choose the Preferences tab.

2. Click the Restrict Access link.

3. Under the Option column, select the ACL file. We choose the default file in our example and click OK.

   Figure 3–6 Access Control List Management Page

   
   

4. Select Pick a Resource and then specify the following wildcard pattern to control access to all files in the /hr/publish/manager directory :

   /hr/publish/manager/*

5. Click the Edit Access Control button.

6. Check the “Access control is on” checkbox and click the New Line button.

   Figure 3–7 Editing the Access Control

   
   

7. Click on Deny in the second row of the Action column.

   This opens the Allow /Deny page in the lower frame of Figure 3-8: Restricting Access Control

   Figure 3–8 Restricting Access Control

   
   

8. Click Allow, if not selected by default, and then click Update.

9. Click on “anyone” in the Users/Groups column, in the top frame.

10. Enter “manager” as the user you will allow access to, and keyfile1 as the authentication database, in the User/Group page that appears in the lower frame of Figure 3-9: Access Control for User and User Groups

    Figure 3–9 Access Control for User and User Groups

    
    

11. Click Update.

12. Click Submit to store the new access control rules in the ACL file.

13. Click Apply Changes and save and apply the changes that you have made.

    Once an ACL is set users accessing the site will be required to authenticate themselves before they are allowed access, as shown below:

    Figure 3–10 User Authentication Page