access.conf(4) (Sun WebServer Command Reference)

Sun WebServer Command Reference

access.conf(4)

NAME

^TM

SYNOPSIS

site_path/conf/access.conf - Web site access control lists.

/etc/http/access.conf - Global access control lists for administration

DESCRIPTION

The access.conf file defines Access Control Lists (ACLs) for the content (represented as URI) hosted by a web site. ACLs regulate access to resources on the site by defining which users, groups, and/or hosts have permission to make HTTP GET, PUT, POST, and DELETE requests. ACLs also determine which users, groups, and/or hosts have permission to modify the ACL itself.

ACL definitions may be created by htaccess(1m), by the Sun WebServer Administration Console, or by Apache Emulator for FrontPage publishing tools.

Note -

If FrontPage publishing is active for a site, do not edit the access.conf file. FrontPage must be able to read and write the ACL information in a form that it can use, and manual edits may interfere with FrontPage's ability to manage ACL information.

Each ACL definition in the file consists of the following:

Realm used to store information about valid users.
Authentication scheme used to ask clients for password information.
List of users and/or groups in the realm who have permission to change the ACL definition.
HTTP method block or blocks defining the access permissions on the URI for the given methods.
Optionally, URI of the resource using the ACL. If the URI is not specified, it applies to all the URIs under this site.
Optionally, ACL definition blocks for URIs beneath the current one in the document root. These definitions assume the definition of the parent block; explicit directives change the definition in the child block and its children.

Syntax

The following syntax rules apply to the access.conf file:

The pound sign (#) is a comment character. All characters from a # to the end of a line are ignored.
White space is ignored in directive definitions.
A string with a space must be inside double quotes.
Some directives accept a list of values. Separate multiple values by white space. If more than one line is required to list all values, escape all but the last new line with a backslash (\) at the end of the line.
All directives are grouped in blocks surrounded by curly braces ({ and }). Any amount of white space, new lines, or directive definitions may appear between an opening curly brace and its matching close, including directive blocks that also use matched curly braces to contain a definition.
ACL definitions (url { } blocks) may be nested within other definitions, as long as the nesting matches the actual URI hierarchy. You cannot nest url /parent/subdir { ... url /parent { ... } }. The nested URL is always treated as a path relative to the parent URL.
The ACL definition on a given URI inherits directives from ACLs on parent URIs, even if the blocks are not nested.

Each ACL definition is in the following form:

url <URI> {
   [ realm <realm_name> ]
   [ authentication_scheme <auth_scheme> ]
   [ administrator {
      user <realm_user>[ <realm_user>]...
      [ group <realm_group>[ <realm_group>]... ]
   } ]
   [ method <method_list> {
      [ + | - group * | <realm_group>[ <realm_group>]... ]...
      [ + | - host * | <host>[ <host>]... ]...
      [ + | - user * | <realm_user>[ <realm_user>]... ]...
   } ]...
   [ url <URI> { <ACL> } ]...
}

The syntax and definition of each directive and block is explained in the following Directives section. Note that all directives are optional. Unless a directive is explicitly defined, its value is inherited from the ACL on the parent URI. If there is no value defined in the parent URI ACL (or any of its parents), the following defaults apply:

realm: There is no default. If no realm can be defined, then all user and group directives are ignored.
authentication_scheme: If you do not change the default of no authentication_scheme, then all user and group directives are ignored.
method: Defaults to ALL.
group: Defaults to + group *, meaning any authenticated member of any group in the realm is allowed access unless another directive explicitly denies access.
host: Defaults to + host *, meaning connections are allowed from any host name.
user: Defaults to + user *, meaning any authenticated used defined in the realm is allowed access unless another directive explicitly denies access.
administrator: Defaults to either the site or the server administrator. A site administrator is the principal with access to the pseudo-URI "/sws_administration" in the site-level access.conf. Similarly, a server administrator is a principal with access to the pseudo-URI "/sws_administration" in the global access.conf.

Directives

The following keyword directives are valid in the access.conf file:

administrator { admins }

Names users and groups in the specified realm with permissions to change or delete the ACL through the Sun WebServer Administration Console or the htaccess(1m) utility. The directive admins may contain a user directive or optionally a group directive:

user realm_user[[ realm_user]]...: Defines ACL administrators. User names must be valid in the ACL's realm.
group realm_group[[ realm_group]]...: Defines groups whose members have permission to change or delete the ACL. Group names must be valid in the ACL's realm.

authentication_scheme basic | md5 | none

Defines the encoding of authentication information for the ACL where basic means user name and password information should be sent in BASE64 encoding over HTTP; md5 means the server exchanges a message digest of certain header fields and the password is never sent over the wire, and none means that no authentication scheme will be used.

method method[ method]... { permissions }

Defines a block of permissions that regulate access to the named resource for the HTTP methods listed. The method can be ALL meaning any method, or it can be a list of one or more of: DELETE, GET, POST, or PUT. The permissions regulate access to the resource by realm user name, realm group name, or host name:

+|- host * | pattern

Allows (+) or denies (-) access to hosts matching the pattern. If host is an asterisk (*), the access permission serves as the default for all hosts.

If pattern consists only of numbers, it is considered an IP address pattern; otherwise it is considered a host or domain name pattern. For IP addresses, the permission will be applied to any host whose IP address begins with pattern. For host or domain names, the permission will be applied to any host whose fully qualified domain name (FQDN) ends with pattern.

+|- group * | group[ group]...

Allows (+) or denies (-) access to authenticated realm users who are members of one of the listed groups. If group is an asterisk (*), the access permission serves as the default for all groups.

+|- user * | user[ user]...

Allows (+) or denies (-) access to authenticated realm users. If user is an asterisk (*), the access permission serves as the default for all users.

realm realm_name

Defines the realm to use as the source for user name, password, and group information for this ACL. The realm_name must exist in the web site's realms.conf(4) file, or all user and group permissions will be ignored.

EXAMPLES

Example 1

Access control for the Sun WebServer Administration Console server administration is defined in the global /etc/http/access.conf file. The special URI /sws-administration defines ACLs for administration:

 url "/sws-administration" {
   realm               serverAdmin
   authentication_type basic

   + user  *
 }

Example 2

A web site ACL to restrict HTTP publishing to valid users:

url "/" {
   realm               publishing
   authentication_type basic

   method PUT DELETE {
      + user *
   }

}

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWhttpc
Interface Stability	Evolving

NOTES

The global /etc/http/access.conf is used by the Sun WebServer Administration Server. The command-line utilities protect server-wide administrative access using a pseudo-URI ("/sws_administration"). Similarly, the site-wide administrative access is protected by the server pseudo-URI at site specific access.conf.

Sun WebServer 2.0 Last Revised 17 July 1998