This section takes you through the process of restricting access to the files or directories on your web site. The sections following this one describe in detail each option available when using access control. Keep in mind that most access control rules use only a subset of the available options.
You can set access control through two Enterprise Server mechanisms, both offer flexibility in the scope of your desired settings:
Note.
You can set access control globally for all servers through the Enterprise Administration Server or for a resource within a specific server instance through the Server Manager. This section describes how to use the Server Manager to set up access control within a specific server instance. For more information regarding how to use the Enterprise Administration Server to set access control globally, see Restricting Server Access.
There is also a section of examples you can review in the section Access Control Examples.
To create an access control rule:
From Enterprise Server, choose the Preferences tab.
Click the Restrict Access link.
In the "Pick a resource" section, specify the part of the server (the resource) that you want to control.
Click Edit Access Control.
Click New Line.
Select the action you want to apply to the rule by clicking Deny.
Specify User-Group authentication by clicking "anyone" listed under the Users/Groups column.
Specify the computers you want to include in the rule by clicking "anyplace."
Specify the access rights you want to include in the rule by clicking "all." Select the access rights in the bottom frame, and then click Update.
Specify the programs you want to restrict. Programs are the forms in the Server Manager for the server you selected. For example, you can restrict access to all forms for configuring the administration server by checking the "All Programs" radio button. If you want to restrict access to one or two sets of forms, choose the categories in the drop-down list. If you want to restrict access to one form in a category, type the name of the form in the "Program Items" field. For example, to restrict access to the access control form, type distacl in the Program Items field. For more information, see Access to Programs.
If you are familiar with ACL files, you can enter a customized ACL entry by clicking X under the Extra column.
Select Continue if you want the access control rule to continue in a chain.
Repeat steps 5 through 11 for each rule you need.
Click Submit to store the new access control rules in the ACL file.
The following sections describe the options that appear in the bottom frame of the access control page.
Setting Access Control Actions
You can specify the action the server takes when a request matches the access control rule.
The server goes through the list of ACEs to determine the access permissions. For example, the first ACE is usually to deny everyone. If the first ACE is set to "continue," the server checks the second ACE in the list. (If continue is not checked, everyone would be denied access to the resource.) If the second entry matches, then the next ACE is used. The server continues down the list until it reaches either an ACE that doesn't match or that matches but is set to not continue. The last ACE that matches is used to determine if access is allowed or denied. For example, in Figure 14.4 any user in the database can view a file (read access), but they must be in the "pubs" group if they want to publish a file to the server.
Figure 14.4    You can combine Deny and Allow statements in an ACL.
Specifying Users and Groups
You can restrict access to Enterprise Administration Server or your web site based on the user who requests a resource. With user and group authentication, users are prompted to enter a username and password before they can access the resource specified in the access control rule.
The Enterprise Server uses a list of users, who might be sorted into groups, to determine access rights for the user requesting a resource. You must define an administrators group (the group you set up for distributed administration) for access control in Enterprise Administration Server. The list of users (and the groups they are included in) are stored in an LDAP server, such as Netscape Directory Server. You should make sure the database contains users and groups (including the administrators group) before you set access control.
You can allow or deny access to everyone in the database, or you can allow or deny specific people by using wildcard patterns or lists of users or groups.
To configure access control with users and groups, follow the general directions for restricting access. When you click the Users/Groups field, a additional options appear in the bottom frame. The following list describes the options in the bottom frame.
-
Anyone (No Authentication) is the default and means anyone can access the resource without having to enter a username or password. However, the user might be denied access based on other settings, such as host name or IP address. For Enterprise Administration Server, this means that anyone in the administrators group that you specified with distributed administration can access the pages.
-
All in the authentication database matches any user who has an entry in the database. To use this option, you must also check "Authenticated people only." For Enterprise Administration Server, the users you specify must also be in the "administrators" group you specified for distributed administration.
-
Only the following people lets you specify certain users and groups to match. You can list the users and groups of users individually by separating the entries with commas. Or, you can enter a wildcard pattern. To use this option, you must also check "Authenticated people only."
-
Prompt for authentication lets you specify message text that appears in the authentication dialog box. You can use this text to describe what the user needs to enter. Depending on the operating system, the user will see about the first 40 characters of the prompt. Netscape Navigator and Netscape Communicator cache the username and password and associate them with the prompt text. This means that if the user accesses areas (files and directories) of the server that have the same prompt, the user won't have to retype usernames and passwords. Conversely, if you want to force users to reauthenticate for various areas, you simply need to change the prompt for the ACL on that resource.
-
Authentication Methods specifies the method the server uses when getting authentication information from the client.
-
Authentication Database lets you select a database that the server uses to authenticate users. The default setting means the server looks for users and groups in an LDAP directory. However, you can configure individual ACLs to use different databases. You can specify different databases and LDAP directories in the file server_root/userdb/dbswitch.conf. Then, you can choose the database you want to use in the ACL by selecting it in the drop-down list. If you use the access control API to use a custom database (for example, to use an Oracle or Informix database), you can type the name of the database in the "Other" field in the User/Group window.
Specifying Host Names and IP Addresses
You can restrict access to Enterprise Administration Server or your web site based on which computer the request comes from. You specify this restriction by using wildcard patterns that match the computers' host names or IP addresses. For example, to allow or deny all computers in a specific domain, you would enter a wildcard pattern that matches all hosts from that domain, such as *.netscape.com. You can set different hostnames and IP addresses that the superuser must use when accessing Enterprise Administration Server.
To specify users from hostnames or IP addresses, follow the directions for restricting access in Restricting Access to Your Web Site. When you click the From Host field (the link called "anyplace"), additional options appear in the bottom frame. Check the "Only from" option and then type either a wildcard pattern or a comma-separated list of hostnames and IP addresses. Restricting by hostname is more flexible than by IP addressif a user's IP address changes, you won't have to update this list. Restricting by IP address, however, is more reliableif a DNS lookup fails for a connected client, hostname restriction cannot be used.
The hostname and IP addresses should be specified with a wildcard pattern or a comma-separated list. The wildcard notations you can use are specialized; you can only use the *. Also, for the IP address, the * must replace an entire byte in the address. That is, 198.95.251.* is acceptable, but 198.95.251.3* is not. When the * appears in an IP address, it must be the right-most character. For example, 198.* is acceptable, but 198.*.251.30 is not.
For hostnames, the * must also replace an entire component of the name. That is, *.netscape.com is acceptable, but *sers.netscape.com is not. When the * appears in a hostname, it must be the left-most character. For example, *.netscape.com is acceptable, but users.*.com is not.
Setting Access Rights
You can set access rights to files and directories on your web site. That is, in addition to allowing or denying all access rights, you can specify a rule that allows or denies partial access rights. For example, you can give people read-only access rights to your files, so they can view the information but not change the files. This is particularly useful when you use the web publishing feature to publish documents.
When you create an access control rule, the default access rights are set to all access rights. To change access rights, click the Rights link in the top frame, and then choose the access rights you want to set for a particular rule. The following list describes each access right you can check.
-
Read access lets a user view a file. This access right includes the HTTP methods GET, HEAD, POST, and INDEX.
-
Write access lets a user change or delete a file. Write access right includes the HTTP methods PUT, DELETE, MKDIR, RMDIR, and MOVE. To delete a file, a user must have both write and delete privileges.
-
Execute access applies to server-side applications, such as CGI programs, Java applets, and agents.
-
Delete access means a user who also has write privileges can delete a file or directory.
-
List access means the user can get directory information. That is, they can get a list of the files in that directory. This applies to Web Publisher and to directories that don't contain an index.html file.
-
Info access means the user can get headers (http_head method). This is mainly used by the Web Publisher.
Access to Programs
You can select areas of the administration server that administrators can access. You can choose groups of tabs that appear in the Server Manager (such as Cluster Management), or you can choose specific pages that appear as links in the left frame of the Server Manager (such as "New User" in the User & Groups tab).
To control access to a program in a server,
Go to the Universal Enterprise Settings for the administration server. Choose Restrict Access from Global Settings tab.
From the drop-down list, choose the server whose administration access you want to restrict. The administration server is labeled "https-admserv." Other servers are labeled with their type and their server id (for example, https-mozilla).
Each ACL begins with two deny lines (the default setting), one that restricts access to only those users in the "administrators" group set for distributed administration, and another that restricts access to all users. If you want to change either of these lines, you need to manually edit the ACL file. Click New Line to add a rule to the ACL. Each rule you create allows access to the server. By specifically allowing access for users, you reduce the risk that you'll allow access to users you don't want.
Choose the users, groups, hosts, and IP addresses you want to apply to this access control rule.
By default, administrators have access to all programs for a server. Click the All link under Programs in the top frame. The bottom frame displays a page that lists the programs for the server type you selected.
Select "Only the following," and then select the Program Groups you want to apply to the rule. You can choose multiple groups by pressing the Control key and then clicking the groups you want.
You can control access to a specific page within a tab. Type the name of the page in the Program Items field.
Click Update and then Submit to save the access control rule.
Writing Customized Expressions
You can enter custom expressions for an ACL. You can use this feature if you are familiar with the syntax and structure of ACL files. There are a few features available only by editing the ACL file or creating custom expressions. For example, you can restrict access to your server depending on the time of day, day of the week, or both.
The following customized expression shows how you could restrict access by time of day and day of the week. This example assumes you have two groups in your LDAP directory: the "regular" group gets access Monday through Friday, 8:00am to 5:00pm. The "critical" group gets access all the time.
allow (read)
{
(group=regular and dayofweek="mon,tue,wed,thu,fri");
(group=regular and (timeofday>=0800 and timeofday<=1700));
(group=critical)
}
For more information on valid syntax and ACL files, see ACL File Syntax and Referencing ACL Files in obj.conf.
Selecting "Access control on"
When you uncheck the option labeled "Access control on," you'll get a prompt asking if you want to erase records in the ACL. When you click OK, the server deletes the ACL entry for that resource from the ACL file.
If you want to deactivate an ACL, you can comment out the ACL lines in the file generated-https-server-id.acl by putting # signs at the beginning of each line.
From Enterprise Administration Server, you could create and turn on access control for a specific server instance and leave it off (which is the default) for other servers. For example, you could deny all access to the Server Manager pages from Enterprise Administration Server. With distributed administration on and access control off by default for any other servers, administrators could still access and configure the other servers, but they cannot configure Enterprise Administration Server.
Note.
This access control is in addition to the user being in the administrators group set for distributed administration. The Enterprise Administration Server first checks that a user (other than superuser) is in the administrators group, and then it evaluates the access control rules.
Responding When Access is Denied
You can choose the response a user sees when denied access. You can vary the message for each access control object. By default, the user is sent a message that says the file was not found (the HTTP error code 404 Not Found is also sent).
To change what message is sent for a particular ACL, perform the following steps:
In the ACL page, click the link called "Response when denied."
In the lower frame, check the radio button called "Respond with the following file."
In the text field, type a URL or URI to a text or HTML file in your server's document root that you want to send to users when they are denied access. The server must have read access to this file, so you should consider putting the file in the document root.
Click Update.
Note: Make sure any users who get the response file have access to that file. If
you have access control on the response file and the user is denied access
to both the original resource and the response file, the server will send the
default denied response.
Make sure you submit the access control rule by clicking
Submit in the top frame.
|