Oracle iPlanet Web Proxy Server 4.0.14 Administration Guide

How Access Control Works

When the server receives a request for a page, it uses the rules in the ACL file to determine whether access should be granted. The rules can reference the host name or IP address of the computer sending the request. The rules can also reference users and groups stored in the LDAP directory.

The following example shows the possible contents of an ACL file, and provides examples of access control rules.

version 3.0;
# The following "es-internal" rules protect files such
# as icons and images related to iPlanet Web Proxy Server.
# These "es-internal" rules should not be modified.
  acl "es-internal";
  allow (read, list, execute,info) user = "anyone";
  deny (write, delete) user = "anyone";

# The following rules deny access to the directory "web"
# to everyone not in the directory server and deny everyone
# in the directory server who is not in GroupB.
# Only the users in GroupB are allowed read, execute, list,
# and info permissions. GroupA cannot gain access to the
# directory "web" even though (in the ACL rule below) they
# can access the directory “my_stuff”. Furthermore, members
# of GroupB cannot write or delete files.
  acl "path=/export/user/990628.1/docs/my_stuff/web/";
  authenticate (user,group) {
     database = "default";
     method = "basic";
  deny (all)
  (user = "anyone");

  allow (read,execute,list,info)
  (group = "GroupB");

# The following rule denies everyone not in the directory
# server and denies everyone in the directory server except
# users with the ID of "SpecificMemberOfGroupB". The ACL rule
# in this setting also has a requirement that the user
# connect from a specific IP address. The IP address setting
# in the rule is optional, and has been added for extra
# security. Also, this ACL rule has a Customized prompt
# of "Presentation Owner". This Customized prompt appears
# in the username and password dialog box in the client’s
# browser.

  acl "path=/export/user/990628.1/docs/my_stuff/web/presentation.html";
  authenticate (user,group) {
     database = "default";
     method = "basic";
     prompt = "Presentation Owner";
  deny (all)
  (user = "anyone" or group = "my_group");
  allow (all)
  (user = "SpecificMemberOfGroupB") and
  (ip = "");

# The following ACL rule denies everyone not in the directory
# server and everyone in the directory server except for
# GroupA and GroupB access to the directory “my_stuff”
  acl "path=/export/user/990628.1/docs/my_stuff/";
  authenticate (user,group) {
     database = "default";
     method = "basic";
  deny (all)
  (user = "anyone");
  allow (read,execute,list,info)
  (group = "GroupA,GroupB");


For example, if a user requests the URL http://server_name/my_stuff/web/presentation.html, the Proxy Server first checks access control for the entire server. If the ACL for the entire server is set to continue, the server checks for an ACL for the directory my_stuff. If an ACL exists, the server checks the ACEs within the ACL, and then moves on to the next directory. This process continues until an ACL is found that denies access, or until the final ACL for the requested URL, in this case, the file presentation.html is reached.

To set up access control for this example using the Server Manager, you could create an ACL for the file only, or create an ACL for each resource leading to the file, that is, one for the entire server, one for the my_stuff directory, one for the my_stuff/web directory, and one for the file.

If more than one ACL matches, the server uses the last ACL statement that has a match.