Access control has changed substantially between Sun WebServer 1.0 and 2.0. Sun WebServer 2.0 access control documentation should be reviewed before attempting to migrate the old Sun WebServer access control structure to the new. The most significant changes are listed below:
The concept of realm has been greatly expanded, and a new configuration file, realm.conf, has been added.
Delegation of access control has been removed.
The access controls specified for the "/sws-administration" URL are used throughout Sun WebServer to determine the server administrator when the URL is specified in the server-level access.conf or the site administrator when specified in the site-level access.conf.
There is a single server-level access.conf file for all the instances on the system (located at /etc/http/access.conf). This file contains a single "/sws-administration" URL to define who is allowed to administer all instances.
Each web site also has its own site-level access.conf file to specify site administrators.
Realms can now use more sources for user data. A realm can authenticate a user against a standard HTPASSWD
database or NIS+ database.
To migrate the Sun WebServer 1.0 access.acl file to 2.0, one needs to create or select authentication realms, modify the access control syntax for the mapped URLs to reflect the new 2.0 syntax, and collect the access controls in the access.acl file and delegated files to the access.conf files in each of the individual web sites.
In Sun WebServer 1.0, the realm
directive had little significance other than as an identifier for the browser (printed in the authentication dialog box). In Sun WebServer 2.0, the realm specifies a pre-existing set of users and groups used for authenticating access to a URL. Realm information is stored in the realms.conf file. HTPASSWD
realms have a directory associated with them as well (defined in realm.conf) which contains the "users" and "groups" files to be used in the authentication. The password_file
and group_file
directives in Sun WebServer 1.0 ACLs are therefore obsolete. All 1.0 realms will be HTPASSWD
realms in
2.0 since these user-created databases were the only source available in 1.0.
Given the following Sun WebServer 1.0 access control in /etc/http/access.acl for host widgets:
url /reports { realm Managers authentication_type basic password_file /usr/auth/Managers/Maners_users group_file /usr/auth/Managers/Managers_groups + group report_managers - user Joe } |
Create a realm to hold the password and group file. This can be done as follows:
# htrealm add -i server1 -h widgets -r Managers -s HTPASSWD |
This command will add the following entry to the realms.conf for the site widgets:
realm Managers { realm_source HTPASSWD } |
It also creates the following directory at the site widgets:
/var/http/server1/websites/widgets/conf/realms/Managers/ |
Copy the users and groups file into the Managers directory:
# cp /usr/auth/Managers/Managers_users \ /var/http/server1/websites/widgets/conf/realms/Managers/users # cp /usr/auth/Managers/Managers_groups \ /var/http/server1/websites/widgets/conf/realms/Managers/groups |
Remove the file directives from the Sun WebServer 1.0 ACL and place the new ACL in the Sun WebServer 2.0 ACL file: /var/http/server1/websites/widgets/conf/access.conf:
url /reports { realm Managers authentication_type basic + group report_managers - user Joe } |
The concept of delegation has been removed from Sun WebServer 2.0. All the access controls that were previously located within delegated files must be relocated into the single access.conf for a particular site.
Given the following Sun WebServer 1.0 ACL and delegated file:
ACL in /etc/http/access.acl:
url /statistics { delegate /var/http/acls/.admin_acl } |
/var/http/acls/.admin_acl file:
realm admin password_file /usr/auth/admin_user group_file /usr/auth/admin_group + group stat_admins |
These must be collapsed into a single ACL:
The realm admin
must have been created first; see the previous example.
url /statistics { realm admin + group stat_admins } |
Given the following Sun WebServer 1.0 ACL and delegated file:
ACL in access.acl:
url /statistics { delegate /var/http/acls/.admin_acl } |
/var/http/acls/.admin_acl file (the ownership of this file is joe:adm
)
realm admins password_file /usr/auth/admin_user group_file /usr/auth/admin_group + group stat_admins |
These must be collapsed into a single ACL:
url /statistics { realm admins administrators { user joe group adm } + group stat_admins } |