BEA Logo BEA WebLogic Server Release 5.0

  Corporate Info  |  News  |  Solutions  |  Products  |  Partners  |  Services  |  Events  |  Download  |  How To Buy

Controlling access on URLs

Policy file syntax
Policy file examples
Testing the policy file


This document describes how to set up a UrlAcl policy file to control access on files served by WebLogic Server. The UrlAcl policy file extends ACLs (Access Control Lists) that you set in the file by granting--or denying--users and groups permissions on specific files and directories served by WebLogic Server. It gives you much finer-grained control than can be achieved just using the file.

The UrlAcl policy file is a text file formatted in the style of JAAS (Java Authentication and Authorization Service) policy files. It can have any name. weblogicURL.policy is recommended. Create the file in the weblogic/ directory, the same directory that contains the file.

The UrlAcl policy file can contain grant and deny statements. You enable UrlAcl testing by setting the property to the name of the UrlAcl policy file. WebLogic Server parses the policy file at startup time, creating an ACL that it applies to all URL requests.

With a UrlAcl policy in effect, WebLogic Server tests client URL requests against the policy. Specifically, it tests permissions on the portion of the URL following the server specification. For example, if a client attempts to load the URL http://localhost:7001/reports/financial/1999Q4.html, WebLogic Server tests permissions on /reports/financial/1999Q4.html.

You can grant or deny permissions on specific filenames or on directories. There are two wildcard characters that modify how permissions are applied to directories: asterisk (*) and dash (-). If you grant permission on a directory with an asterisk, for example "/reports/*", the permission applies to any file in the /reports directory. If you grant permission on a directory with a dash, for example "/reports/-", the permission applies to any file in the /reports directory or in subdirectories below /reports. Wildcard characters are only valid following the slash at the end of a directory path or used alone, as a shortcut for "/-" or "/*".

Permissions are always searched from most specific to most general. For example, given the URL http://localhost:7001/reports/financial/1999Q4.html, WebLogic Server looks for permissions in the following sequence:


The first permission located is applied to the request. The permission may be positive (granted) or negative (denied). If no permission is found, the request is denied.

Individual permissions override group permissions, which means you can grant a group access to a file or directory but deny access to specific members of that group.

Once you enable a UrlAcl policy file, you must grant permissions to every user who is to have access; the default action is to deny access when no permission is found. The "system" user is no exception. If you want the "system" user to have access to files, you must grant the permissions in your UrlAcl policy file.

Policy file syntax

The UrlAcl policy file can contain any number of grant and deny entries. Each entry contains a list of Principals (WebLogic Users or Groups) and a list of Permissions (access granted or denied on a specified target).

A UrlAcl policy file entry has the following syntax:

  grant_or_deny Principal Principal_Class "Principal_Name" {
     Permission Permission_Class "Permission_name", "Target";

Each entry is either a grant or a deny command. A grant command creates a positive permisison. A deny command creates a negative permission.

The name of the Java class WebLogic Server uses to represent a User or Group: or, respectively.

The name of the WebLogic Server user or group, as defined in the file or other realm, if enabled.

The name of the Java class that represents URL ACLs in WebLogic Server. Always

The name of the permission that is granted. Always weblogic.url.

A file specification, relative to the WebLogic Server public_html directory.

Policy file examples

The examples in this section assume these properties defined in the file:


  # This property points to the UrlAcl policy file

  1. Allow the "system" user access to anything. Let everyone access files in the /reports directory, except deny members of the "contributors" group access to files in or below the /reports/financial directory.
    grant Principal "system" {
      Permission "weblogic.url", "-";
    grant Principal "everyone" {
      Permission "weblogic.url", "/reports/-";
    deny Principal "contributors" {
      Permission "weblogic.url", "/reports/financial/-";

  2. Grant everyone access to all files. Deny members of the "everyone" group access to files in the /admin directory, but allow members of the "managers" group and user "eric" access to /admin directory files.
    grant Principal "everyone" {
      Permission "weblogic.url", "-";
    deny Principal "everyone" {
      Permission "weblogic.url", "/admin/-";
    grant Principal "managers",
          Principal "eric" {
      Permission "weblogic.url", "/admin/-";

Testing the UrlAcl policy file

WebLogic Server will fail at startup time if your UrlAcl policy file contains syntax errors. Whenever you change the file, you can run the class on it to test the syntax and also to make sure that WebLogic Server interprets the file as you intended.

Use this command to test your policy file:

  java infile outfile

The name of your UrlAcl policy file.

The name of an output file where the PolicyParser writes the parsed UrlAcl policy file.

PolicyParser reports syntax errors. If there are no syntax errors, the output file should contain the same entries as the input file, sorted by permission.


Copyright © 2000 BEA Systems, Inc. All rights reserved.
Required browser: Netscape 4.0 or higher, or Microsoft Internet Explorer 4.0 or higher.
Last updated 12/4/1999