
	Corporate Info \| News \| Solutions \| Products \| Partners \| Services \| Events \| Download \| How To Buy
	e-docs \| Site Map \| Search \| Contact \| Glossary \| WebLogic Server Documentation

Controlling access on URLs

Overview
Policy file syntax
Policy file examples
Testing the policy file

Overview

This document describes how to set up a UrlAcl policy file to control access on files served by WebLogic Server. The UrlAcl policy file extends ACLs (Access Control Lists) that you set in the weblogic.properties file by granting--or denying--users and groups permissions on specific files and directories served by WebLogic Server. It gives you much finer-grained control than can be achieved just using the weblogic.properties file.

The UrlAcl policy file is a text file formatted in the style of JAAS (Java Authentication and Authorization Service) policy files. It can have any name. weblogicURL.policy is recommended. Create the file in the weblogic/ directory, the same directory that contains the weblogic.properties file.

The UrlAcl policy file can contain grant and deny statements. You enable UrlAcl testing by setting the weblogic.security.URLAclFile property to the name of the UrlAcl policy file. WebLogic Server parses the policy file at startup time, creating an ACL that it applies to all URL requests.

With a UrlAcl policy in effect, WebLogic Server tests client URL requests against the policy. Specifically, it tests permissions on the portion of the URL following the server specification. For example, if a client attempts to load the URL http://localhost:7001/reports/financial/1999Q4.html, WebLogic Server tests permissions on /reports/financial/1999Q4.html.

You can grant or deny permissions on specific filenames or on directories. There are two wildcard characters that modify how permissions are applied to directories: asterisk (*) and dash (-). If you grant permission on a directory with an asterisk, for example "/reports/*", the permission applies to any file in the /reports directory. If you grant permission on a directory with a dash, for example "/reports/-", the permission applies to any file in the /reports directory or in subdirectories below /reports. Wildcard characters are only valid following the slash at the end of a directory path or used alone, as a shortcut for "/-" or "/*".

Permissions are always searched from most specific to most general. For example, given the URL http://localhost:7001/reports/financial/1999Q4.html, WebLogic Server looks for permissions in the following sequence:

/reports/financial/1999Q4.html

/reports/financial/*

/reports/financial/-

/reports/-

The first permission located is applied to the request. The permission may be positive (granted) or negative (denied). If no permission is found, the request is denied.

Individual permissions override group permissions, which means you can grant a group access to a file or directory but deny access to specific members of that group.

Once you enable a UrlAcl policy file, you must grant permissions to every user who is to have access; the default action is to deny access when no permission is found. The "system" user is no exception. If you want the "system" user to have access to files, you must grant the permissions in your UrlAcl policy file.

Policy file syntax

The UrlAcl policy file can contain any number of grant and deny entries. Each entry contains a list of Principals (WebLogic Users or Groups) and a list of Permissions (access granted or denied on a specified target).

A UrlAcl policy file entry has the following syntax:

  grant_or_deny Principal Principal_Class "Principal_Name" {
     Permission Permission_Class "Permission_name", "Target";
  };

grant_or_deny: Each entry is either a grant or a deny command. A grant command creates a positive permisison. A deny command creates a negative permission.
Principal_Class: The name of the Java class WebLogic Server uses to represent a User or Group: weblogic.security.acl.User or weblogic.security.acl.GroupImpl, respectively.
Principal_Name: The name of the WebLogic Server user or group, as defined in the weblogic.properties file or other realm, if enabled.
Permission_Class: The name of the Java class that represents URL ACLs in WebLogic Server. Always weblogic.security.acl.URLAcl.
Permission: The name of the permission that is granted. Always weblogic.url.
Target: A file specification, relative to the WebLogic Server public_html directory.

Policy file examples

The examples in this section assume these properties defined in the weblogic.properties file:

  weblogic.password.joe=joe12345
  weblogic.password.steve=steve12345
  weblogic.password.eric=eric12345
  weblogic.password.adam=adam12345
  weblogic.password.sam=sam12345
  weblogic.password.dave=dave12345

  weblogic.security.group.managers=joe,steve
  weblogic.security.group.contributors=eric,adam,sam,dave

  # This property points to the UrlAcl policy file
  weblogic.security.urlAclFile=weblogicURL.policy

Allow the "system" user access to anything. Let everyone access files in the /reports directory, except deny members of the "contributors" group access to files in or below the /reports/financial directory.


grant Principal weblogic.security.acl.User "system" {
  Permission weblogic.security.acl.URLAcl "weblogic.url", "-";
};


grant Principal weblogic.security.acl.GroupImpl "everyone" {
  Permission weblogic.security.acl.URLAcl "weblogic.url", "/reports/-";
};

deny Principal weblogic.security.acl.GroupImpl "contributors" {
  Permission weblogic.security.acl.URLAcl "weblogic.url", "/reports/financial/-";

};

Grant everyone access to all files. Deny members of the "everyone" group access to files in the /admin directory, but allow members of the "managers" group and user "eric" access to /admin directory files.


grant Principal weblogic.security.acl.GroupImpl "everyone" {
  Permission weblogic.security.acl.URLAcl "weblogic.url", "-";
};

deny Principal weblogic.security.acl.GroupImpl "everyone" {
  Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
};

grant Principal weblogic.security.acl.GroupImpl "managers",
      Principal weblogic.security.acl.User "eric" {
  Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
};

Testing the UrlAcl policy file

WebLogic Server will fail at startup time if your UrlAcl policy file contains syntax errors. Whenever you change the file, you can run the weblogic.utils.security.PolicyParser class on it to test the syntax and also to make sure that WebLogic Server interprets the file as you intended.

Use this command to test your policy file:

  java weblogic.utils.security.PolicyParser infile outfile

infile: The name of your UrlAcl policy file.
outfile: The name of an output file where the PolicyParser writes the parsed UrlAcl policy file.

PolicyParser reports syntax errors. If there are no syntax errors, the output file should contain the same entries as the input file, sorted by permission.