Controlling access on URLsOverviewThis document describes how to set up a UrlAcl policy file to control access on files served by WebLogic Server. The UrlAcl policy file extends ACLs (Access Control Lists) that you set in the weblogic.properties file by granting--or denying--users and groups permissions on specific files and directories served by WebLogic Server. It gives you much finer-grained control than can be achieved just using the weblogic.properties file. The UrlAcl policy file is a text file formatted in the style of JAAS (Java Authentication and Authorization Service) policy files. It can have any name. weblogicURL.policy is recommended. Create the file in the weblogic/ directory, the same directory that contains the weblogic.properties file. The UrlAcl policy file can contain grant and deny statements. You enable UrlAcl testing by setting the weblogic.security.URLAclFile property to the name of the UrlAcl policy file. WebLogic Server parses the policy file at startup time, creating an ACL that it applies to all URL requests. With a UrlAcl policy in effect, WebLogic Server tests client URL requests against the policy. Specifically, it tests permissions on the portion of the URL following the server specification. For example, if a client attempts to load the URL http://localhost:7001/reports/financial/1999Q4.html, WebLogic Server tests permissions on /reports/financial/1999Q4.html. You can grant or deny permissions on specific filenames or on directories. There are two wildcard characters that modify how permissions are applied to directories: asterisk (*) and dash (-). If you grant permission on a directory with an asterisk, for example "/reports/*", the permission applies to any file in the /reports directory. If you grant permission on a directory with a dash, for example "/reports/-", the permission applies to any file in the /reports directory or in subdirectories below /reports. Wildcard characters are only valid following the slash at the end of a directory path or used alone, as a shortcut for "/-" or "/*". Permissions are always searched from most specific to most general. For example, given the URL http://localhost:7001/reports/financial/1999Q4.html, WebLogic Server looks for permissions in the following sequence:
The first permission located is applied to the request. The permission may be positive (granted) or negative (denied). If no permission is found, the request is denied. Individual permissions override group permissions, which means you can grant a group access to a file or directory but deny access to specific members of that group. Once you enable a UrlAcl policy file, you must grant permissions to every user who is to have access; the default action is to deny access when no permission is found. The "system" user is no exception. If you want the "system" user to have access to files, you must grant the permissions in your UrlAcl policy file. Policy file syntaxThe UrlAcl policy file can contain any number of grant and deny entries. Each entry contains a list of Principals (WebLogic Users or Groups) and a list of Permissions (access granted or denied on a specified target). A UrlAcl policy file entry has the following syntax: grant_or_deny Principal Principal_Class "Principal_Name" { Permission Permission_Class "Permission_name", "Target"; };
Policy file examplesThe examples in this section assume these properties defined in the weblogic.properties file: weblogic.password.joe=joe12345 weblogic.password.steve=steve12345 weblogic.password.eric=eric12345 weblogic.password.adam=adam12345 weblogic.password.sam=sam12345 weblogic.password.dave=dave12345 weblogic.security.group.managers=joe,steve weblogic.security.group.contributors=eric,adam,sam,dave # This property points to the UrlAcl policy file weblogic.security.urlAclFile=weblogicURL.policy
Testing the UrlAcl policy fileWebLogic Server will fail at startup time if your UrlAcl policy file contains syntax errors. Whenever you change the file, you can run the weblogic.utils.security.PolicyParser class on it to test the syntax and also to make sure that WebLogic Server interprets the file as you intended. Use this command to test your policy file: java weblogic.utils.security.PolicyParser infile outfile
PolicyParser reports syntax errors. If there are no syntax errors, the output file should contain the same entries as the input file, sorted by permission. |
|
Copyright © 2000 BEA Systems, Inc. All rights reserved.
|