Administration Tool: Resource Protection

Concepts

Documentation Contents

/ Documentation Index

/ Glossary

/ Administration Tool Help

You can control access to Java Web Server(TM) resources. A resource is basically any service, data, or executable that the web server can provide to a client. This document provides a quick introduction and overview of using access control to protect your resources.

Protecting Your Resources
Understanding Realms

Protecting Your Resources

For security reasons, you will probably want to protect some or all of the resources made available to clients by your Java Web Server. For example, you restrict the ability to access and download files containing personnel information to members of the Human Resources staff. Or you might want to restrict the ability to place files on the server to a few selected members of your website team.

In general, a Java Web Server resource can be a

Document (URL)
Directory
Program
Servlet
Service (such as HTTPS or FTP)

or any other data or executable that the web server can make available to a client.

To give you the most flexibility in determining who can access resources on the server, Java Web Server defines the following:

realms
users
groups
access control lists (ACLs)

Understanding Realms

Central to the resource protection scheme implemented for Java Web Server is the concept of a realm. A realm is a database of users and groups. It also contains a set of access policies called access control lists or ACLs. ACLs specify the privileges that the user (or group) is granted to access server resources.

Resources can be accessed only by users and groups that belong to a realm. A resource can be accessed by more than one realm.

When you create a user, group, or ACL, you always do so within the context of a realm. A user, group, or ACL is specific to the realm in which it belongs. That is, a user called Steve in realm A is considered separate and distinct from a user called Steve in realm B.

The realm also specifies a general authentication policy for users or groups that want to access resources. For example, one realm could contain users and groups that employ UNIX passwords and the server's HTTP Basic authentication to grant access to resources. In contrast, another realm might contain users that need to be authenticated using Secure Sockets Layer (SSL) before being granted access to resources.

Realms and Their Authentication Policies
The realms recognized by Java Web Server are predefined. These realms and their associated authentication policies are:

UNIX - Applies only to users in a UNIX^(R) environment. It is the same database of users as listed by the UNIX getpwent() routines. This realm lets the server use HTTP Basic authentication with users' UNIX passwords.

NTRealm - Applies only to users in a Windows NT environment (only available in the Win32 version of this product).
defaultRealm - This realm can be used for general management of users and groups. It also controls the example servlets.

certificateRealm - Protects resources for users who are authenticated using Secure Sockets Layer (SSL). This realm is only packaged in the versions of this product that include SSL.

servletMgrRealm - Used exclusively for signed servlet support, which is used primarily by software publishers. Holds the X.509 certificates used to authenticate those publishers.

Note: To access NT realms, the server has to be run as Administrator and special rights ("Act as part of operating system") have to be granted to the Administrators group.

Users
You define users within the context of a realm. A user can be an individual such as Jack or Susan, or a user can represent a job function such as Engineer or Accountant.

For more information on how to create users, see the Users document.

Groups
Optionally, you can assign the users to groups. A group is simply a collection of users. You can define a group according to the activity they perform such as Engineering or Accounting. You can also define a group according to their relationship to your organization, such as Chicago_Branch_Employees or Outside_Users. As with users, groups are created within the context of a realm.

For more information on how to create groups and assign users to groups, see the Groups document.

Access Control Lists (ACLs)
An ACL specifies the conditions under which a user or group can access resources. You determine which users and groups belong to the ACL, then assign access control policies to them. You can create several ACLs, each with a unique combination of access control policies for groups and users, then assign the ACLs to different resources.

Java Web Server lets you specify access control policies separately for servlets and for files and folders. For servlets you can assign these access policies:

Load Servlet - Load a named servlet
Write files - Write to any file on the server where the servlet is running
Listen to socket - Execute calls on a socket
Link libraries - Link any library called with the load library call
Read files - Read any file on system where the servlet is running
Open remote socket - Open any socket not on the current machine
Execute programs - Execute programs on the server where the servlet is running (this is like cgi)
Access system properties - Access system properties. (For more information see the documentation for java.lang.system.)

For files and folders, you can assign these access control policies:

GET - Retrieve and read documents from the server
PUT - Place a new copy of existing data to the server
POST - Add documents to the server
DELETE - Remove documents from the server

For example, a user or group can be granted only GET permission to the service, and thus only be able to retrieve and read documents from it. Another user or group can be granted both GET and POST permissions, meaning that not only can the user (or the members of the group) read documents, they can add documents for display as well. Both users (or groups) are in the same realm, but the access control policies applied to them are different.

By assigning a specific access control policy to each user and each group, you can control precisely how the resources of a service are used, and by whom. For example, you can assign an access control policy to a user that is different from the policy assigned to the group to which the user belongs. In this case, the user's access control policy takes precedence over the group's settings. For example, if a user in a group has both GET and POST access but the group has only GET access, the user is still able to do both GET and POST.

For more information on how you use Java Web Server to assign access control policies to users and groups, and how you assign them to an ACL, see the Access Control Lists document.

In some cases, a service does not require that its users to be in an access control list. For example, many web page (HTTP) services make their documents available to all users without requiring that they be registered in an ACL.

Top

java-server-feedback@java.sun.com