This document has the following sections:

• Settings
• Procedures
• Using Add ACL/Remove ACL
• To Add a User, Group, or Computer
• The Add Permission Box
• Buttons

A security realm contains users and/or groups plus their associated access control lists (ACL). The access control list for a user in a particular realm specifies the privileges that user is granted to access server resources. Resources include such things as files, directories, and servlets.

The Access Control Lists page allows you to add and delete access control lists, and to add or delete the users and groups they contain, for a given Realm. Access control lists let you control the users and groups and computers that access your web pages and other server resources.

The basic default permissions (if no user is granted any specific permissions) are:

• All are granted GET and POST.
• All are denied PUT and DELETE.

To allow PUT or DELETE for a user in a given Realm, you must specifically create an Access Control List with that permission.

Note: To enforce access control, you must first enable it in the Network Setup page.

Settings

Realm
A realm is a database of users, groups, and access control lists. It is used to specify which users have access to the resources of a specific service (for example, the Web Page Service).

The Java^TM Web Server^TM uses the list of users in the database to identify the customers for the service. Users that are not included in the realm cannot be added to any access control list for the service. Users not on an access control list are generally denied the use of the service.

In some cases, a service does not require that its customers be in an access control list. For example, many web page (HTTP) services make their documents available to all users without requiring that they be registered in an ACL first.

Specific access control policies are applied to both users and groups in the database. For example, one user (or group) may be granted only GET permission to the service, and thus only be able to retrieve and read documents from it. Another user (or group), however, may be granted both GET and POST permissions, meaning that the user (or the members of the group) can add documents for display, as well as read them. Both users (or groups) are in the same realm, but the access control policies applied to them are different.

Note: Individual access control permissions take precedence over group settings. For example, if a user in a group has both GET and POST access, but the group has only GET access, the user is still able to do both GET and POST.

By assigning specific access settings to each user and each group, you can control precisely how the resources of a service are used, and by whom.

The Java Web Server has the following security realms:

• UNIX - Applies only to users in a UNIX^TM environment. It is the same database of users as listed by the UNIX getpwent() routines. This realm lets the server use HTTP "Basic" authentication with users' UNIX passwords.
• NTRealm - Applies only to users in a Windows NT environment and therefore is only available in the Win32 version of this product.
• defaultRealm - The realm for controlling the example servlets. This realm can also be used for general management of users and groups.
• certificateRealm - Used to protect resources for users who are authenticated using Secure Sockets Layer (SSL). This realm is only packaged in the versions of this product which include SSL.
• servletMgrRealm - Used exclusively for signed servlet support, which is used primarily by software publishers. Holds the X.509 certificates used to authenticate those publishers.

Note: On the UNIX realm, it is not possible to add a user through the Java Web Server. The UNIX realm is controlled through the DNS database and users must be added through that mechanism.

Note: To access NT realms, the server has to be run as Administrator and special rights ("Act as part of operating system") have to be granted to the Administrators group. To do this:

1. Go to the Programs -> Administrative Tools -> UserManager for domains panel.
2. Click on Policies -> User Rights.
3. Select the "Show Advanced User Rights" checkbox.
4. Enable "Act as part of operating system" rights for the administrator.

Access Control Lists (ACLs)
Lists the names of the access control lists associated with the realm that is being displayed. Each access control list has defined users and groups, and defined permissions that pertain to each of those users and groups. The access control list for the Realm controls who has access to that realm on the Java Web Server.

To Display the ACLs in a Realm:

• Select the name of the realm in the Realm field. The access control lists (ACLs) belonging to that realm are displayed in the Access Control Lists (ACLs) field.

To Create an Access Control List:

1. Select the realm under which you want to create the access control list.
2. Click Add. This displays the Add ACL box.
3. Enter the name of the access control list.
4. Click Add ACL.

Note: In the servletMgrRealm, permissions are only recognized if they are set in the servletACL. The Java Web Server does not recognize permissions for servlets if they are set in a newly created ACL.

To Remove an Access Control List:

1. Select the realm under which you want to remove the access control list.
2. Click Remove ACL. This displays the Remove ACL box and asks if you want to remove the ACL.
3. Click Yes.

1. Select the realm that contains the access control list.
2. Add the user to the Realm using the Users page Add command.
3. Return to the Access Control Lists page.
4. Select the access control list to which you want to add an entry.
5. Click Add Permission. This displays the Add Permission box.
6. Select the user or group or computer you want to give permission to.
7. Select the HTTP permissions you want to grant (GET, PUT, POST, DELETE), or the Servlet permissions (there are eight).
8. Click OK or Apply. (Clicking OK removes the Add Permission box from the screen; clicking Apply leaves it visible for further entries or changes.)

Note: For any given user in a group, the user's access control permissions always take precedence over the group's permissions.

To Allow Access Only From a Specific Computer:

1. Select the realm that contains the access control list.
2. Select the access control list to which you want to add an entry.
3. Click Add Permission.
4. Click on the Computer radio button.
5. Enter the name of the host either as a name or as an IP address. You can use the wild card character (*) when entering a host name (for example, *.edu). Requests that originate from hosts other than the specified host will be denied.
6. Click OK or Apply. (Clicking OK removes the Add Permission box from the screen; clicking Apply leaves it visible for further entries or changes.)

To Delete an Entry in an Access Control List:

1. Select the realm that contains the access control list.
2. Select the access control list that contains the entry you want to delete.
3. Select the entry.
4. Click Remove Permission.
5. When you see the Remove Permission box, click Yes.

To Completely Delete a User Account from a Realm:

1. Select Access Control Lists.
2. Select the Realm.
3. Under Principal/Permissions, select the user name.
4. Click on Remove Permission. When you see the Remove Permission box, click Yes.
5. Select Security --> Groups.
6. Select the Realm.
7. Select the Group.
8. Select the user name to be removed from the Group.
9. Click Remove.
10. Select Security --> Users.
11. Select the user name to be removed.
12. Click Remove. When you see the Remove User box, click Yes.

• Assign Permissions for - Files and Folders and Servlets.
• Grant to - For Files and Folders, there are three classes of permissions: User, Group, and Computer. For Servlets there are only two: User, and Group. When you select a category, the users, groups, or machines that belong to it are displayed.
• Permissions are - Permissions can be either Allowed or Denied.
• Permissions
  For Files and Folders there are four permissions:
  • GET - can retrieve information from the server.
  • PUT - a new copy of existing data can be put on the server.
  • POST - new data can be put on the server.
  • DELETE - delete data from server.

  For Servlets, there are eight different permissions that can be denied or allowed. These are:

  • Load Servlet - Allows you to load a named servlet.
  • Write files - Allows you to write to any file on the server where the servlet is running.
  • Listen to socket - Allows you to execute calls on a socket.
  • Link libraries - Allows you to link any library called with the load library call.
  • Read files - Allows you to read any file on system where the servlet is running.
  • Open remote socket - Allows you to open any socket not on the current machine.
  • Execute programs - Allows you to execute programs on the server where the servlet is running. (This is like cgi.)
  • Access system properties - Allows you to access system properties. For more information see the documentation for java.lang.system.

The Add Permission box has the following five buttons:

• Ok - Applies the permissions and removes the Add Permission box from the screen.
• Apply - Applies the permissions but leaves the Add Permission box displayed on the screen.
• Clear - Clears the currently selected entries (without applying them) and leaves the Add Permission box displayed on the screen.
• Cancel - Clears the currently selected entries (without applying them) and removes the Add Permission box from the screen.
• Help - Displays the Help document for the Access Control Lists page.

Buttons

• Add Permission - Allows you to add users or groups to an access control list for a specific realm. the settings.
• Remove Permission - Allows you to remove users or groups from an access control list for a specific realm.

Top java-server-feedback@java.sun.com

Copyright © 1997 Sun Microsystems, Inc. All Rights Reserved.