This document has the following sections:

• Settings
• Procedures
• Using Add/Remove
• Using Edit
• The Add Permission Box
• Buttons

The Access Control Lists page allows you to add and delete access control lists, and to add or delete the users and groups they contain. Access control lists let you control the users and groups that access your web pages and other server resources.

In the JavaServer, server administration is controlled through the adminRealm and the adminACL in that realm. Anyone granted GET privilege in adminACL is allowed to sign on to, and use, the administrative pages.

NOTE: To enforce access control, you must first enable it in the Basic Setup page.

For more information on access control, see Access Control Lists under Developer Documentation.

Settings

Realm
A realm is a database of users, groups, and access control lists. It is used to specify which users have access to the resources of a specific service (for example, the Web Page Service).

The JavaServer uses the list of users in the database to identify the customers for the service. Users that are not included in the realm cannot be added to any access control list for the service. Users not on an access control list are generally denied the use of the service.

In some cases, a service does not require that its customers be in an access control list. For example, many web page (HTTP) services make their documents available to all users without requiring that they be registered in an ACL first.

Specific access control policies are applied to both users and groups in the database. For example, one user (or group) may be granted only GET permission to the service, and thus only be able to retrieve and read documents from it. Another user (or group), however, may be granted both GET and POST permissions, meaning that the user (or the members of the group) can add documents for display, as well as read them. Both users (or groups) are in the same realm, but the access control policies applied to them are different.

Note: Individual access control permissions take precedence over group settings. For example, if a user in a group has both GET and POST access, but the group has only GET access, the user is still able to do both GET and POST.

By assigning specific access settings to each user and each group, you can control precisely how the resources of a service are used, and by whom.

The JavaServer has four security realms. These are:

• Unix - Applies only to users in a Unix environment. It is the same database of users as listed by the Unix getpwent() routines. This realm lets the server use HTTP "Basic" authentication with users' Unix passwords.
• adminRealm - The primary realm used by the JavaServer. It controls access to the administrative features.
• defaultRealm - The realm for controlling the example servlets. This realm can also be used for general management of users and groups.
• servletMgrRealm - Used exclusively for signed servlet support, which is used primarily by software publishers. Holds the X.509 certificates used to authenticate those publishers.

ACL Name
Lists the names of the access control lists associated with the realm that is being displayed. Each access control list has defined users and groups, and defined permissions that pertain to each of those users and groups. The access control list for the Realm controls who has access to that realm on the JavaServer.

Procedures

To Display the ACLs in a Realm:

• Select the name of the realm in the Realm field. The access control lists (ACLs) belonging to that realm are displayed in the Access Control Lists (ACLs) field.

To Create an Access Control List:

1. Select the realm under which you want to create the access control list.
2. Click Add. This displays the Add ACL box.
3. Enter the name of the access control list.
4. Click Add ACL.

NOTE: In the servletMgrRealm, permissions are only recognized if they are set in the servletACL. The JavaServer does not recognize permissions for servlets if they are set in a newly created ACL.

To Remove an Access Control List:

1. Select the realm under which you want to remove the access control list.
2. Click Remove ACL. This displays the Remove ACL box and asks if you want to remove the ACL.
3. Click Yes.

1. Select the realm that contains the access control list.
2. Add the user to the Realm using the Users page Add command.
3. Return to the Access Control Lists page.
4. Select the access control list to which you want to add an entry.
5. Click Add Permission. This displays the Add Permission box.
6. Select the user or group you want to give permission to.
7. Select the HTTP permissions you want to grant (GET, PUT, or POST), or the Servlet permissions (there are eight).
8. Click OK or Apply. (Clicking OK removes the Add Permission box from the screen; clicking Apply leaves it visible for further entries or changes.)

Note: For any given user in a group, the user's access control permissions always take precedence over the group's permissions.

To Allow Access Only From a Specific Computer:

1. Select the realm that contains the access control list.
2. Select the access control list to which you want to add an entry.
3. Click Add Permission.
4. Click on the Computer radio button.
5. Enter the name of the host either as a name or as an IP address. You can use the wild card character (*) when entering a host name (for example, *.edu). Requests that originate from hosts other than the specified host will be denied.
6. Click OK or Apply. (Clicking OK removes the Add Permission box from the screen; clicking Apply leaves it visible for further entries or changes.)

To Delete an Entry in an Access Control List:

1. Select the realm that contains the access control list.
2. Select the access control list that contains the entry you want to delete.
3. Select the entry.
4. Click Remove Permission.
5. When you see the Remove Permission box, click Yes.

To Completely Delete a User Account from a Realm:

1. Select Access Control Lists.
2. Select the Realm.
3. Under Principal/Permissions, select the user name.
4. Click on Remove Permission. When you see the Remove Permission box, click Yes.
5. Select Security --> Groups.
6. Select the Realm.
7. Select the Group.
8. Select the user name to be removed from the Group.
9. Click Remove.
10. Select Security --> Users.
11. Select the user name to be removed.
12. Click Remove. When you see the Remove User box, click Yes.

• Assign Permissions for - Files and Folders and Servlets.
• Grant to - For Files and Folders, there are two classes of permissions: User, Group, and Computer. For Servlets there are only two: User, and Group. When you select a category, the users, groups, or machines that belong to it are displayed.
• Permissions are - Permissions can be either Allowed or Denied.
• Permissions - For Files and Folders there are three permissions:
  • GET - can retrieve information from the server.
  • PUT - a new copy of existing data can be put on the server.
  • POST - new data can be put on the server.
  For Servlets, there are eight different permissions that can be denied or allowed. These are:
  • Load Servlet - Allows you to load a named servlet.
  • Write files - Allows you to write to any file on the server where the servlet is running.
  • Listen to socket - Allows you to execute calls on a socket.
  • Link libraries - Allows you to link any library called with the load library call.
  • Read files - Allows you to read any file on system where the servlet is running.
  • Open remote socket - Allows you to open any socket not on the current machine.
  • Execute programs - Allows you to execute programs on the server where the servlet is running. (This is like cgi.)
  • Access system properties - Allows you to access system properties. For more information see the documentation for java.lang.system.

• Ok - Applies the permissions and removes the Add Permission box from the screen.
• Apply - Applies the permissions but leaves the Add Permission box displayed on the screen.
• Clear - Clears the currently selected entries (without applying them) and leaves the Add Permission box displayed on the screen.
• Cancel - Clears the currently selected entries (without applying them) and removes the Add Permission box from the screen.
• Help - Displays the Help document for the Access Control Lists page.

Buttons

• Add Permission - Allows you to add users or groups to an access control list for a specific realm. the settings.
• Remove Permission - Allows you to remove users or groups from an access control list for a specific realm.

Top