■ “Specifying the From Host” on page 157 ■ “Restricting Access to Programs” on page 158 ■ “Setting Access Rights” on page 158
■ “Writing Customized Expressions” on page 159 ■ “Turning Access Control Off” on page 160 ■ “Responding When Access Is Denied” on page 160
Setting the Action
You can specify the action the server takes when a request matches the access control rule. ■ Allowmeans users or systems can access the requested resource
■ Denymeans users or systems cannot access the resource
The server goes through the list of access control entries (ACEs) to determine the access permissions. For example, the first ACE is usually to deny everyone. If the first ACE is set to continue, the server checks the second ACE in the list. If that ACE matches, the next ACE is used. If Continue is not selected, everyone is denied access to the resource. The server continues down the list until it reaches either an ACE that does not match or an ACE that matches but does not continue. The last matching ACE determines if access is allowed or denied.
Specifying Users and Groups
With user and group authentication, users are prompted to provide a user name and password before they can access the resource specified in the access control rule.
The Proxy Server checks lists of users and groups stored either in an LDAP server, such as Oracle Directory Server Enterprise Edition, or in an internal file-based authentication database. You can allow or deny access to everyone in the database, allow or deny specific people by using wildcard patterns, or select who to allow or deny from lists of users and groups.
19
The following elements are displayed for Users/Groups on the Access Control Rules For page in the user interface.
■ Anyone (No Authentication)is the default and means anyone can access the resource without providing a user name or password. However, the user might be denied access based on other settings, such as host name or IP address. For the Administration Server, this setting means that anyone in the administrators group that you specified for distributed administration can access the pages.
■ Authenticated People Only
■ All In The Authentication Databasematches any user who has an entry in the database. ■ Only The following Peoplespecifies which users and groups to match. You can list users or groups of users individually by separating the entries with commas, or with a wildcard pattern, or you can select from the lists of users and groups stored in the database. Groupmatches all users in the groups you specify. User matches the individual users you specify. For the Administration Server, the users must also be in the administrators group you specified for distributed administration.
Prompt For Authenticationspecifies the message text that is displayed in the
authentication dialog box. You can use this text to describe what the user needs to type. Depending on the operating system, users see approximately the first 40 characters of the prompt. Most browsers cache the user name and password and associate them with the prompt text. If the user accesses areas of the server files and directories that have the same prompt, the user does not need to retype user names and passwords. Conversely, if you want to force users to reauthenticate for various areas, you must change the prompt for the ACL on that resource.
■ Authentication Methods specifies the method the server uses for getting authentication information from the client. The Administration Server offers only the Basic method of authentication. The Server Manager offers the following methods:
■ Default uses the default method specified in the obj.conf file, or Basic if there is no setting exists in obj.conf. If you select Default, the ACL rule does not specify a method in the ACL file. Choosing Default enables you to easily change the methods for all ACLs by editing one line in the obj.conf file.
■ Basic uses the HTTP method to get authentication information from the client. The user name and password are only encrypted if encryption is turned on for the server (SSL is enabled). Otherwise, names and passwords are sent in clear text, and can be read if intercepted.
■ SSL uses the client certificate to authenticate the user. To use this method, SSL must be turned on for the server. When encryption is on, Basic and SSL methods can be combined.
Note –You can enable security only in reverse proxy mode and not in forward proxy mode.
■ Digest uses an authentication mechanism that enables browsers to authenticate users based on user name and password without sending the user name and password as clear text. The browser uses the MD5 algorithm to create a digest value using the user’s password and some information provided by the Proxy Server. This digest value is also computed on the server side using the Digest authentication plug-in and compared against the digest value provided by the client.
Note –Prompt For Authentication is a required parameter in Digest Authentication. Change the value to match the realm (required for digest file). For example, if in the digest file, you have configured all users to be in the realm test, then the Prompt For Authentication field should contain the text test.
■ Other uses a custom method that you create using the access control API.
Authentication Database specifies the database that the server will use to authenticate users. This option is only available through the Server Manager. If you choose Default, the server looks for users and groups in a directory service configured as default. If you want to configure individual ACLs to use different databases, select Other, and specify the database. Non-default databases and LDAP directories must be specified in
server-root/userdb/dbswitch.conf. If you use the access control API for a custom database, select Other, and type the database name.