Chapter 7 Controlling Access

You can control who accesses your Web Publisher documents and directories and what operations different users or different groups of users can perform upon them. You can completely prohibit access to a file or folder or you can restrict access to certain authenticated users.

Access control is based on a hierarchy of rules that specify certain restrictions. A set of rules is called an access control list (ACL). The access control hierarchy is based on the URL Path or file path, with ACL rules cascading from the top down through each progressively lower layer of directories and subdirectories until it reaches the file. When a request for access is made, the server goes in turn through each rule, continuing until it encounters a rule that prevents it from continuing or comes to the last rule for that resource.

• User Authentication
• Web Publisher Access Permissions
• Ownership of Files and Folders
• Setting Access: An Example
• Access Control: The Details
• The Access Control Window
• Additional Options

Manually Assigning Ownership
You can use the properties page that is part of the Web Publisher Services form to manually assign ownership of a file or folder. You an only modify the Owner property is two cases:

• You own the file or folder.
• The file or folder has no owner.

• copy (ownership is assigned to the newly copied files and folders, not the originals)
• move
• rename
• upload
• edit (although ownership has little effect until you unlock the file by publishing it)

1. Select the index.html file in the Web Publisher applet window.
2. At this point, there are three ways to obtain the access control interface from Web Publisher:

• From the Services menu, choose Access Control.
• Click the Information toolbar button to display the Web Publisher Services page, and then click the Access Control button.
• In the URL field of your browser, type in the following URL:

http://yourServer/oneacl/index.html

The access control window divides into two frames that you use to set the access control rules. If the file or folder has no access control, the top frame is initially empty.

1. Click New Line to get a new default rule. Leave this unchanged. The default rule that you begin with denies everyone everything. Once you've done this, you can expand the access to include specified users and groups, as in the next step.
2. Click New Line again to get another default ACL rule as the bottom row of the table. You can use the up and down arrows in the left column to move a rule, if needed.

Figure 7.2    A sample ACL for the owner of a file



3. You can allow access to this file by clicking the Deny link in the Action column. The bottom frame now displays the Allow/Deny form. See the section See "Setting Actions" for more details.
4. Click Allow and then click Update to return to the top frame with the new data.
5. You can allow access to a specific user by clicking the Anyone link in the Users/Groups column. The bottom frame now displays the User/Group form. By default, there is no authentication, meaning anyone can access the resource. See "Setting Users and Groups" for more details.
6. You can restrict access to a computer or network by clicking the Anyplace link in the From Host column. See "Specifying Host Names and IP Addresses" for more details on how to use this advanced option.
7. You can restrict access to certain operations by clicking the All link in the Rights column. The bottom frame now displays the Access Rights form. By default, the user has access to all operations. See "Setting Rights" for more details.

To restrict the rule to all except write and delete operations, uncheck these two checkboxes, and then click Update to return to the top frame with the new data.

8. Add another new line, this time allowing the owner to have write and delete access as well. Complete steps 4-6.

Then to restrict access to the owner of a file, type owner in the User field under "Authenticated People Only," and then click Update to return to the top frame with the new data.

9. In most cases, this is all you need to do to define an ACL for your file, so click Submit to set up this ACL for your index.html file. See "Additional Options" for details about other options you can use.

If you click Revert, the server removes any changes you made to the rules from the time you first opened the two-frame window. Be cautious when using Revert because you can't restore your edits. In most cases, it is safer to delete the rule lines individually by clicking the Trash can icon on the end of each line.

• Allow means the users or computers can access the requested resource.
• Deny means the users or computers cannot access the resource.

• Anyone (No Authentication) is the default and means anyone can access the resource without having to enter a user name or password. However, the user might be denied access based on other settings, such as host name or IP address.
• Authenticated people only means all users requesting the resource have to enter a valid user name and password before gaining access to the resource.
• All in the authentication database matches any user who has an entry in the database.
• Only the following people lets you specify certain users and groups to match. You can list the users and groups of users individually by separating the entries with commas. Or, you can enter a wildcard pattern, such as *Smith.

• Group matches all users in the groups you specify.
• User matches the individual users you specify. If you want to restrict access to owners, enter owner here.
• Prompt for authentication lets you customize the message that appears in the authentication dialog box. The default text, "Enterprise Server" is shown in figure. Depending on the operating system, the user sees about the first 40 characters of the prompt.
• Netscape Navigator and Netscape Communicator cache the user name and password. This means that while you continue to use the same browser, you do not have to reenter your user name and password.
• Authentication Methods specifies the method the server uses when getting authentication information from the client. Do not change this setting without consulting with your server administrator.
• Authentication Database lets you select a database that the server uses to authenticate users. Do not change this setting without consulting with your server administrator.

• Read access lets a user view a file.
• Write access lets a user change a file's content or properties.
• Execute access applies to server-side applications, such as CGI programs and Java applets.
• Delete access means a user can delete, move, or rename a file or directory.
• List access means the user can get a list of the files in a folder. If this is not checked, the user cannot open the folder in the Web Publisher window.
• Info access maps to the HTTP Options method.

1. In the top frame, click the link called "Response when denied." The Access Deny Response form is displayed in the lower frame with the default option set.
2. Click the radio button labeled "Respond with the following url."
3. In the text field, type the URL for the file (text or HTML) in your server's document root that you want to send to users when they are denied access. Make sure the file doesn't contain references to other files (such as style sheets) or images because they won't be sent.
4. Click Update to return to the top form.
5. Click Submit to set this response as part of the access control rule.

You specify this restriction by using wildcard patterns that match the computers' host names or IP addresses. For example, to allow or deny all computers in a specific domain, you would enter a wildcard pattern that matches all hosts from that domain, such as *.netscape.com.

1. Click the Anyplace link in the From Host column in the top part of the ACL form. The From Host form is displayed in the bottom frame.
2. In one of the fields under the Only From option, type a wildcard pattern or a comma-separated list of hostnames or IP addresses.
3. Click Update to return to the top part of the ACL form with the new or modified data.
4. Click Submit to modify the access control rule.