This document has the following sections:

• Settings
• Procedures
• Buttons

The Users page lets you view, add, edit, or delete the list of users who have access to your JavaServer web pages and other resources (such as servlets). Once you've created a list of users, you control their access using the Add/Remove and Edit features on the Access Control page.

Each account consists of a username and password, and is associated with a specific security realm within the server. To assign the same user different sets of access privileges, you assign the user to more than one realm.

Settings

Realm
A realm is a database of users, groups, and access control lists. It is used to specify which users have access to the resources of a specific service (for example, the Web Page Service).

The JavaServer uses the list of users in the database to identify the customers for the service. Users that are not included in the realm cannot be added to any access control list for the service. Users not on an access control list are generally denied the use of the service.

In some cases, a service does not require that its customers be in an access control list. For example, many web page (HTTP) services make their documents available to all users without requiring that they be registered in an ACL first.

Specific access control policies are applied to both users and groups in the database. For example, one user (or group) may be granted only GET permission to the service, and thus only be able to retrieve and read documents from it. Another user (or group), however, may be granted both GET and POST permissions, meaning that the user (or the members of the group) can add documents for display, as well as read them. Both users (or groups) are in the same realm, but the access control policies applied to them are different.

Note: Individual access control permissions take precedence over group settings. For example, if a user in a group has both GET and POST access, but the group has only GET access, the user is still able to do both GET and POST.

By assigning specific access settings to each user and each group, you can control precisely how the resources of a service are used, and by whom.

The JavaServer has four security realms. These are:

• Unix - Applies only to users in a Unix environment. It is the same database of users as listed by the Unix getpwent() routines. This realm lets the server use HTTP "Basic" authentication with users' Unix passwords.
• adminRealm - The primary realm used by the JavaServer. It controls access to the administrative features.
• defaultRealm - The realm for controlling the example servlets. This realm can also be used for general management of users and groups.
• servletMgrRealm - Used exclusively for signed servlet support, which is used primarily by software publishers. Holds the X.509 certificates used to authenticate those publishers.

NOTE: It is not possible to add a user to the Unix realm using the JavaServer. The Unix realm is controlled through the DNS database and users must be added through that mechanism.

Procedures

To Display the Users in a Realm:

• Select the name of the realm in the Realm field. The users belonging to that realm are displayed in the Name field.

To Add a New User to a Realm:

1. Select the realm to which you want to add the user.
2. Click Add. This displays the Add User box.
3. Enter the user name of the user, and the user's password, and verify the password.
4. Click OK.

   To Delete a User Account from a Realm:

   1. Select the realm from which you want to delete the user.
   2. Select the user name to be removed.
   3. Click Remove.
   4. When you see the Remove User box, click Yes.
   Note: Do not delete the "admin" user account.

   To Change a User's Password:

   1. Select the realm that contains the user account you want to change.
   2. Click Change Password. This displays the Change Password box.
   3. Enter the user's new password and verify the password.
   4. Click OK.

   To Add a User with Administrative Privileges:

   1. Add the user to the adminRealm security realm.
   2. Select Access Control in the Security list.
   3. Click Add Permission. This displays the Add Permission dialog box.
   4. Add the user to this access control list by filling out the form, and assigning the user the GET privilege.
   5. When you are done filling out the form, click OK.
   6. Using the new account, log in to JavaServer to verify that this user can log in and get access to the administration web page.

   To Add a New User in The servletMgrRealm

   1. Select the servletMgrRealm.
   2. Click Add. This displays the Enter Certificate URL.
   3. Enter the user name of the user, and the Certificate URL (this is the location of where your signed/unsigned certificate resides, that is, file:/home/lcheng/certirficate/myservlet.jar.sig or http://host/certificate/myservlet.jar.sig).
   4. Click OK.

   Buttons

   To make changes to the Users page and have those settings take affect, use the three buttons at the bottom of the screen. These are:
   • Add - Adds a user to the selected Realm.
   • Remove - Removes a user from the selected Realm.
   • Change Password - Changes the password for the user selected in the Name field.

   ---

   Top
   java-server-feedback@java.sun.com