Resources Protection

Contents / Administrator Docs / Developer Docs / Index / AdminTool Contents

This document has the following sections:

Settings
Procedures
Buttons

A security realm contains users and/or groups plus their associated access control lists (ACL). The access control list for a user in a particular realm specifies the privileges that user is granted to access server resources. Resources include such things as files, directories, and servlets.

The Resources Protection page allows you to control user access to server resources by assigning the resource to an access control list. You can view, add, delete, or edit the access control list to which a server resource is assigned.

For each resource you want to protect, you can specify:

an authentication scheme
a security realm
an access control list (ACL)

Note: Resources that clients access via the PUT or DELETE request methods must be protected.

Settings

The Resources Protection page has the following five fields:

Realm
A realm is a database of users, groups, and access control lists. It is used to specify which users have access to the resources of a specific service (for example, the Web Page Service).

The Java Web Server uses the list of users in the database to identify the customers for the service. Users that are not included in the realm cannot be added to any access control list for the service. Users not on an access control list are generally denied the use of the service.

In some cases, a service does not require that its customers be in an access control list. For example, many web page (HTTP) services make their documents available to all users without requiring that they be registered in an ACL first.

Specific access control policies are applied to both users and groups in the database. For example, one user (or group) may be granted only GET permission to the service, and thus only be able to retrieve and read documents from it. Another user (or group), however, may be granted both GET and POST permissions, meaning that the user (or the members of the group) can add documents for display, as well as read them. Both users (or groups) are in the same realm, but the access control policies applied to them are different.

Note: Individual access control permissions take precedence over group settings. For example, if a user in a group has both GET and POST access, but the group has only GET access, the user is still able to do both GET and POST.

By assigning specific access settings to each user and each group, you can control precisely how the resources of a service are used, and by whom.

The Java Web Server has these security realms. They are:

Unix - Applies only to users in a Unix environment. It is the same database of users as listed by the Unix getpwent() routines. This realm lets the server use HTTP "Basic" authentication with users' Unix passwords.
NTRealm - Applies only to users in a Windows NT environment and therefore is only available in the Win32 version of this product.
certificateRealm - Used to protect resources for users who are authenticated using Secure Sockets Layer (SSL). This realm is only packaged in the versions of this product which include SSL.
defaultRealm - The realm for controlling the example servlets. This realm can also be used for general management of users and groups.
servletMgrRealm - Used exclusively for signed servlet support, which is used primarily by software publishers. Holds the X.509 certificates used to authenticate those publishers.

Resource
Lists the resources being protected. This can be a directory, such as a the default document directory public_html and specific files within it, or a servlet directory and specific servlet.

Type
Defines the permissions that can be granted to the resource. There are two types in the Java Web Server: File or Servlet.

Scheme
Defines the authentication method used, along with an Access Control List, to protect the resource. There are two kinds of schemes:

Basic - sends plaintext passwords "over the wire", where they could potentially could be seen by an eavesdropper.
Digest - sends functions of passwords "over the wire", so that eavesdroppers can't read the passwords.

While digest authentication does not send a user's password over the network, the server must still know the user's password. The user and other servers (because users normally share passwords between servers) are at risk if the server is successfully attacked. Also, not many browsers currently support digest authentication.

If you don't assign an access control list to a server resource, Java Web Server applies the default access control.

ACL
Defines the name of the access control list used to protect the resource.

NOTE: Setting access control on the Admin servlet can cause you to be locked out of the Java Web Server. If this happens, you can recover by editing the properties file acl.properties. For more information, see the Java Web Server Release Notes. In general, it is a good idea not to assign access control to any core internal servlet. For more information on internal servlets, see Internal Servlets.

Procedures

To Protect a Resource

Click Add. This displays the Protect a Resource box.
Select a Security Scheme (either Basic or Digest).
Select an access control list (ACL) to assign to the resource.
Select an option in the Specify Resource to Protect field:
- Pathname (a file or directory)
- Servlet
If you're protecting a file or directory, enter the full path in the Pathname field. If you're protecting a servlet, select the servlet name from the pulldown menu.
Click Apply or OK. (Clicking OK removes the Protect a Resource box from the screen; clicking Apply leaves it visible for further entries or changes.)

NOTE: Setting up authentication can get misleading if you protect similar resources and use a trailing slash (/) to differentiate between them. For example, when protecting a resource pathname, the Java Web Server considers the following examples to be two distinct resources:

/home/lcheng/myfile.html
/home/lcheng/myfile.html/

If, after you have protected these resources, you then use File Aliasing to set up shortcuts to these resources, the Java Web Server will automatically overlook the one without the slash and default to the resource that has it. If the resources you protect differ in more ways than just the trailing slash, the Java Web Server has no problem differentiating between protected resources.

To Delete an Entry From The List:

Select the entry you want to delete.
Click Remove.
When the Remove Resource Protection box is displayed, click Yes.

To Edit an Entry:

Select the entry.
Click Add.
Change the information in the Protect a Resource box.
Click Apply or OK. (Clicking OK removes the Add Resource to Realm box from the screen; clicking Apply leaves it visible for further entries or changes.)

Buttons

To make changes to the Resources Protection page and have those settings take affect, use the two buttons at the bottom of the screen. These are:

Add - Adds a resource to the selected Realm.
Remove - Removes a resource from the selected Realm.

Top

java-server-feedback@java.sun.com