Sun WebServer Installation Guide

Migrating the Sun WebServer 1.0 `access.acl` File

Access control has changed substantially between Sun WebServer 1.0 and 2.0. Sun WebServer 2.0 access control documentation should be reviewed before attempting to migrate the old Sun WebServer access control structure to the new. The most significant changes are listed below:

The concept of realm has been greatly expanded, and a new configuration file, realm.conf, has been added.
Delegation of access control has been removed.
The access controls specified for the "/sws-administration" URL are used throughout Sun WebServer to determine the server administrator when the URL is specified in the server-level access.conf or the site administrator when specified in the site-level access.conf.
There is a single server-level access.conf file for all the instances on the system (located at /etc/http/access.conf). This file contains a single "/sws-administration" URL to define who is allowed to administer all instances.
Each web site also has its own site-level access.conf file to specify site administrators.
Realms can now use more sources for user data. A realm can authenticate a user against a standard HTPASSWD database or NIS+ database.

To migrate the Sun WebServer 1.0 access.acl file to 2.0, one needs to create or select authentication realms, modify the access control syntax for the mapped URLs to reflect the new 2.0 syntax, and collect the access controls in the access.acl file and delegated files to the access.conf files in each of the individual web sites.

Realms

In Sun WebServer 1.0, the realm directive had little significance other than as an identifier for the browser (printed in the authentication dialog box). In Sun WebServer 2.0, the realm specifies a pre-existing set of users and groups used for authenticating access to a URL. Realm information is stored in the realms.conf file. HTPASSWD realms have a directory associated with them as well (defined in realm.conf) which contains the "users" and "groups" files to be used in the authentication. The password_file and group_file directives in Sun WebServer 1.0 ACLs are therefore obsolete. All 1.0 realms will be HTPASSWD realms in 2.0 since these user-created databases were the only source available in 1.0.

Migrating to Sun WebServer 2.0 realms

Given the following Sun WebServer 1.0 access control in /etc/http/access.acl for host widgets:

url /reports {
	realm															Managers
	authentication_type		basic

	password_file							/usr/auth/Managers/Maners_users
	group_file										/usr/auth/Managers/Managers_groups

	+ group														report_managers
	- user															Joe
}

Create a realm to hold the password and group file. This can be done as follows:
# htrealm add -i server1 -h widgets -r Managers -s HTPASSWD
This command will add the following entry to the realms.conf for the site widgets:
realm Managers { realm_source HTPASSWD }
It also creates the following directory at the site widgets:
/var/http/server1/websites/widgets/conf/realms/Managers/

Copy the users and groups file into the Managers directory:

# cp /usr/auth/Managers/Managers_users \
	/var/http/server1/websites/widgets/conf/realms/Managers/users
# cp /usr/auth/Managers/Managers_groups \
	/var/http/server1/websites/widgets/conf/realms/Managers/groups

Remove the file directives from the Sun WebServer 1.0 ACL and place the new ACL in the Sun WebServer 2.0 ACL file: /var/http/server1/websites/widgets/conf/access.conf:
url /reports { realm Managers authentication_type basic + group report_managers - user Joe }

Delegation

The concept of delegation has been removed from Sun WebServer 2.0. All the access controls that were previously located within delegated files must be relocated into the single access.conf for a particular site.

Converting a delegated ACL

Given the following Sun WebServer 1.0 ACL and delegated file:

ACL in /etc/http/access.acl:

url /statistics {
	delegate 		/var/http/acls/.admin_acl
}

/var/http/acls/.admin_acl file:

realm 									admin
password_file		/usr/auth/admin_user
group_file					/usr/auth/admin_group

+ group								stat_admins

These must be collapsed into a single ACL:

Note -
The realm admin must have been created first; see the previous example.
url /statistics { realm admin + group stat_admins }

Converting a delegated ACL (advanced)

Given the following Sun WebServer 1.0 ACL and delegated file:

ACL in access.acl:

url /statistics {
	delegate 		/var/http/acls/.admin_acl
}

/var/http/acls/.admin_acl file (the ownership of this file is joe:adm)

realm 									 admins
password_file			/usr/auth/admin_user
group_file						/usr/auth/admin_group

+ group									stat_admins

These must be collapsed into a single ACL:

url /statistics {
	realm					 admins

	administrators {
		user					 joe
		group				 adm
	}

	+ group				stat_admins
}