Tuesday May 16, 2006

Access Control In Sun Java System Web Server 7.0 - II

Access Control In Sun Java System Web Server 7.0 -II

After my first blog about Access Control in general, let me try to talk about some more ACL related topics.

Access Rights in Access Control Lists in Sun Java System Web Server 7.0

Access rights that can be used to set access control in ACL file in Sun Java System Web Server 7.0 - are
  • all
  • read
  • execute
  • info
  • write
  • list
  • delete
  • http_<method>
  • dav:read-acl
  • dav:read-current-user-privilege-set
If we want to grant write,delete,list rights ONLY to authenticated users but grant read, execute, info rights to all users (authenticated as well as unauthenticated users), we need to have an ACL like.

#default.acl
...

acl "default";
authenticate (user, group) {
  prompt = "Sun Java System Web Server";
};
allow (read, execute, info) user = "anyone";
allow (list, write, delete) user = "all";

This is already set by default in <WS_INSTALLATION_DIR>/https-<servername>/config/default.acl file.

If we want to grant write,delete,list access to a set of high privileged users only (users alpha,beta and gamma) and grant read,execute,info rights to ONLY authenticated users, set the following ACL in <WS_INSTALLATION_DIR>/https-<servername>/config/default.acl file in the end.
(We can also add this in that Virtual Server's ACL file if we are using multiple virtual servers.)

#default.acl
...
acl "uri=/"
deny (all) user="anyone";
allow (read, execute, info) user = "all";
allow (list, write, delete) user = "alpha" or user = "beta" or user = "gamma";

Note that the first ACE (ACE starting with deny)  MUST BE added. It denies all rights to "anyone" i.e. all users (both authenticated and unauthenticated users).
Second ACE,  grants read,execute and info rights to authenticated users only.
Third ACE,  grants list, write, delete rights to alpha, beta or gamma only.

Instead of adding individual users, we can also create a group (lets say "premium") in authentication database and add these three users  alpha, beta and gamma in the group. The new ACE will be

#default.acl
...
acl "uri=/"
deny (all) user="anyone";
allow (read, execute, info) user = "all";
allow (list, write, delete) group = "premium";

Mapping between rights and HTTP Methods

Rights
Maps to HTTP Methods
read
GET, HEAD, TRACE, OPTIONS, COPY, BCOPY
write
PUT, MKDIR, LOCK, UNLOCK, PROPPATCH, MKCOL, ACL, VERSION-CONTROL, CHECKOUT, UNCHECKOUT, CHECKIN, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE-CONTROL, MKACTIVITY, BPROPPATCH
execute
POST, CONNECT, SUBSCRIBE, UNSUBSCRIBE, NOTIFY, POLL
delete
DELETE, RMDIR, MOVE, BDELETE, BMOVE
info
HEAD, TRACE, OPTIONS
list
INDEX, PROPFIND, REPORT, SEARCH, BPROPFIND
Note that to get directory listing we need "list" rights.
Note that we have HEAD, TRACE and OPTIONS map to both read and info rights.
\* Will discuss dav:read-acl and dav:read-current-user-privilege-set  later.

We can also set these http_<method> into ACL file for finer access control.

#default.acl
...
acl "uri=/dirGETNotAllowed";

authenticate (user, group) {
  database = "mykeyfile";
  method = "basic";
};
deny (http_GET) ip = "123.45.\*";

ACL Evaluation

The server goes through the list of ACEs to determine the access permissions. Attribute pattern anyone means all users. If that ACE's attribute is user or group and it does NOT contain pattern anyone, the server first authenticates the user. The first ACE is evaluated and it denies/allows access to the current user. The server then checks the second ACE in the list, and if it matches, the next ACE is used. The server continues down the list until it reaches the end or it reaches an absolute ACE\*. The last matching ACE determines if access is allowed or denied.
\*absolute ACE is an ACE that contains absolute keyword.

Lets take the example of a simple ACL file and lets see how they are effective for some requests.

#default.acl
version 3.0;
acl "default";
# call it ACE#1
allow (read, execute, info) user = "anyone";
# call it ACE#2
allow (list, write, delete) user = "all";
...
acl "uri=/file.html";
# call it ACE#3
deny (info) user = "alpha";

Request
Server reads ACEs from ACL file
Server Evaluates ACEs in this order
Result
HEAD /
Reads all ACEs containing "all", "read", "http_head" and "info" rights applicable for this resource.

(It reads ACE#1 in the ACL file above)
ACE#1 is evaluated, operation is allowed. HEAD request is allowed.
GET / or GET /file.html
Reads all ACEs containing "all", "read" and "http_get" rights applicable for this resource.

(It reads ACE#1in the ACL file above)
ACE#1 is evaluated, operation is allowed. GET request is allowed.
HEAD /file.html as user alpha Reads all ACEs containing "all", "read", "http_head" and "info" rights applicable for this resource.

(It reads ACE#1 and ACE#3 in the ACL file above)
  1. ACE#1 is evaluated, operation is allowed.\*
  2. ACE#3 is evaluated, operation is denied (for alpha).
HEAD request is denied.
HEAD /file.html as user beta
  1. ACE#1 is evaluated, operation is allowed.\*
  2. ACE#3 is evaluated, operation is allowed (for beta).
HEAD request is allowed.
HEAD /file.html\*\*
  1. ACE#1 is evaluated, operation is allowed.\*
  2. ACE#3 is evaluated, operation is denied (for unauthenticated users).
HEAD request is denied.
\* It continues to the next step as "absolute" keyword is not found.
\*\* Although we do not have any deny ACEs for "anyone" (unauthenticated users), having a deny or allow ACE for a particular user implicitly denies access to unauthenticated users.

Absolute ACE

ACL Evaluation stops if an "absolute" ACE is found. For example if we have ACEs like

#default.acl
version 3.0;
acl "default";
# call it ACE #1
allow absolute (read, execute, info) user = "anyone";
# call it ACE #2
allow (list, write, delete) user = "all";

acl "uri=/file.jsp";
# Call it ACE #3 is ignored
deny (info) user="all";
...

For HEAD request for /file.jsp, request is allowed for all users even though ACE#3 sets a deny.  During the evaluation of ACE#1 as it encounters absolute keyword, it never evaluates ACE#3 and other ACEs below it.

Access Control In Sun Java System Web Server 7.0

Access Control In Sun Java System Web Server 7.0

You can now download Sun Java System Web Server 7.0 for FREE from http://www.sun.com/download/index.jsp?cat=Web%20%26%20Proxy%20Servers&tab=3&subcat=Web%20Servers .

What Is Access Control?

Access control allows us to determine and manage

  • Who (subject) can access the resources on our web site
  • Which resources (like files or directories)  they can access
  • Which operations can they perform (like creating a file, POST-ing contents to the server).

We can allow or deny access based on:

  • Who is making the request (for example, user or group using user, group attributes).
  • Where the request is coming from (for example, host or IP using ip, dns attributes).
  • When the request is happening (for example, time of day or day of week using timeofday, dayofweek attributes).
  • What type of connection is being used (for example, SSL using ssl attribute).
Authentication is the process of acquiring and verifying the attributes of the subject which help to identify the subject. For example, authentication may involve prompting the user to login with a username and password, and then looking in a database to verify that the user's password is correct.

Authorization is the process of checking the rights (or permissions) to the server resource that are allowed for the subject. for example, a subject might be allowed read access but not write access to a server resource.

An access control entry (ACE) specifies the rules for accessing a given server resource. There are two kinds of ACEs
  • Authentication ACE defines how subject(who is making the request) is identified. It can be used to set authorization method (Digest, Basic, SSL) or database names (like default, myldap, mykeyfile).
  • Authorization ACE defines the rights allowed or denied for a particular subject or a group of subjects.
ACL (Access Control List) is an ordered list of ACEs. An ACL can contain both types of ACEs.

We can control access to the entire server or to parts of the server, or the files or directories on our web site.  When the server gets a request for a page, the server uses the rules in the ACL file to determine if it should grant access or not. We create a hierarchy of rules (called ACEs) to allow or deny access. Each ACE specifies whether or not the server should check the next ACE in the hierarchy. The collection of ACEs we create is called an access control list (ACL).

Types Of ACLs

  • Named ACLs
  • URI (Uniform Resource Indicator) ACLs specify a directory or file relative to the server’s document root.
  • Path ACLs specify an absolute path to the resource they affect.
Path and URI ACLs can include wildcards at the end of the entry. For example: /a/b/\*. Wildcards placed anywhere except at the end of the entry will NOT work.

Examples of Named ACLs

Named ACLs are ACLs which have the first line like acl "<name>"; . It MUST have a corresponding check-acl SAF entry in obj.conf. For example, named acl default or named ACL dav-src  for WebDAV requests we add in Object named dav.

#default.acl
version 3.0;
acl "default";
authenticate (user, group) {
  prompt = "Sun Java System Web Server";
};
allow (read, execute, info) user = "anyone";
allow (list, write, delete) user = "anyone";
...
acl "dav-src";
deny (all) user = "anyone";

Named ACL default  has a corresponding check-acl SAF in obj.conf.  Named ACL dav-src has a corresponding check-acl SAF in obj.conf.

#obj.conf
<Object name=default>
...
PathCheck fn="uri-clean"
PathCheck fn="check-acl" acl="default"
...
</Object>
...
<Object name="dav">
PathCheck fn="check-acl" acl="dav-src"
Service fn="service-dav" method="(GET|HEAD|POST|PUT|DELETE|COPY|MOVE|PROPFIND|PROPPATCH|LOCK|UNLOCK|MKCOL)"
</Object>

Examples of URI based ACLs

URI based ACLs start with uri= prefix. We can set ACLs for a particular resource or a directory and resources inside it. For example, we can set URI based ACL for a particular file file.html

#default.acl
....
acl "uri=/dir1/file.html";
authenticate (user,group) {
  method = "basic";
  database = "myldap";
};
deny (all) user = "anyone";
allow (all) user = "beta";

For setting a URI based ACL on a directory and all the files inside that directory, we can set ACEs like

#default.acl
...
acl "uri=/dir1/\*";
allow (all) dns=".sun.com";
Or
#default.acl
...
acl "uri=/dir1/";
deny (read) user="anyone";
allow (read) group="premium" and dayofweek="Sat,Sun";

Example of Path based ACLs

Path based ACLs start with  "path=" prefix.

#default.acl
...
acl "path=/opt/Sun/Servers/docs/index.html";
deny (read) user="anyone";
allow (read) timeofday<0800 or timeofday=1700;


The URI or path that preceeds the wildcard does NOT work properly if the URI or path information is not a directory but is, instead, a file. For example, the following ACL settings work. When /test/README is accessed, access is allowed only for the user abc.

#default.acl
...
acl "uri=/test/\*";
authenticate (user) {
  prompt = "Test ACL.";
};
deny (all) user = "anyone";
allow (all) user = "abc";

But, the following ACL settings do NOT work. When /test/README is accessed the request is allowed to everyone.

#default.acl
...
acl "uri=/test/READ\*";
authenticate (user) {
  prompt = "Test ACL.";
};
deny (all) user = "anyone";
allow (all) user = "abc";


Only tailing "/\*" is supported in ACL file. ACLs with patterns XX\*, \*XXX\* are ignored. For such scenarios, declare it as a named ACL in obj.conf. For example,

#obj.conf
...
PathCheck fn="check-acl" fn=check-acl path="/pathtosomedir/tes\*.html" acl="acl123"
...
Or
#obj.conf
...
<Object ppath="/pathtosomedir/tes\*.html" >
PathCheck fn="check-acl" acl="acl123"
</Object>

\*\* Note that check-acl usage has a limitation as ACLs are cached in memory. As long as the same ACLs are applied for a resource it is ok. You can not use check-acl for the case where different ACLs are supposed to be added for different condition. For a particular resource we have in obj.conf , <If $client-ip="1.1.1.1"> PathCheck fn="check-acl" acl="acl123" </If> it may or may not add this ACL depending on client's ip address. To make it work we have to disable acl-cache in server.xml (in Web Server 7.0 onwards).

One tip, whenever you want to set an ACL to allow access of a resource to a small audience, first add a deny ACE that would restrict the whole audience from accessing the resource and then add specific ACEs to allow access to the resource to the smaller audience. Something like
#default.acl
...
acl ...
deny (all) user ="anyone";
allow (all) user="alpha,beta,gamma";
Or if you want to add allow ACE first use "absolute" keyword.
#default.acl
...
acl ...
allow absolute (all) user="alpha,beta,gamma";
deny (all) user ="anyone";
Refer my next blog for more information about this.
About

Meena Vyas

Search

Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today