Controlling access

Access to the applications installed on the DSJ server can be controlled through a combination of user name (authenticated with password) and IP address. You can create user groups and IP address ranges.

The Authorized Accessors tag in the applicationsÆs .app file controls the access.

If the tag is missing or if it contains no entries, then that application is an unrestricted application. Any DSJ client may access the application. The application will show up as an available application whenever a DSJ client requests a list of the applications available from the server.

If the tag contains one or more entries then the application is a restricted application. Access is granted to a particular DSJ client for a particular application only if the current DSJ client connection information matches any one of the acceptance criteria in the authorization list.

For example:

Authorized Accessors:
    123.45.67.90
    123.45.50.0-123.45.55.255
    ralph
    sally
    @WestCoastSales

The authorization tag allows the adminstrator to specify a particular IP address, a range of IP addesses, individual users, or an access group file (denoted by the "@" character). Any combination of the above may be specified in any order.

Because access is granted for any match, this means that you could allow access from any user at a particular IP address, or for a specific user on any machine. To allow access for a specific user from a specific machine only, you must create an access group file.

User validation

The DSJ server maintains a list of known users and their associated passwords. The list is stored in a file called users.txt which is expected to be in the directory specified by the DSJ server option UserManagerDatabaseDirectory (which defaults to the \users subdirectory). The format of this file is as a comma delimited list made up of username/password pairs. For example:

ralph,pw
sally,razzamatazz
george,lucky
cathy,highroller

When the DSJ client is started and no user name is specified via the DSJ clientÆs DSJUsername option, no user name information will be used to authorize access to a particular application; the client will be an anonymous user. If the DSJ client specifies a user name via the DSJUsername option then the associated password will be retrieved by checking the DSJ clientÆs DSJPassword property, and if that is blank (which is recommended) by prompting the user.

If the password does not match the user name, or the user name is not registered on the server, then the user is considered an anonymous user.

Note

The DSJ client stores the user name and password used to establish the initial connection. If the initial connection is lost and the DSJ client needs to connect with another server it will use the user name and password combination that it used to establish the original connection. This means that if a restricted application is available from multiple servers, then the user should have the same name and password on all the servers in order for a reconnect to work.

Access Group files

Access group files allow collections of users or IPs to be easily shared and administered across multiple applications. Additionally, access group files allow a finer level of control by limiting access based on a combination of IP address and user name. Access group files may also contain other access group files.

Access group files are denoted with the "@" character. The remainder of the line is the name of the access group file, which is expected to be in found in the serverÆs UserManagerDatabaseDirectory directory.

A group file is made up of three optional sections:

• Users
• IP Ranges
• Groups

If you specify users without any IP ranges, the access list for the application is extended to include the listed users. If you specify IP ranges without any users, the access list for the application is extended to include any DSJ clients connecting within the specified IP ranges. By specifying both users and IP ranges, the access list for the application is extended to include the specified users only if they are contacting the server from an IP address in one of the specified ranges. The Groups section provides a means to create hierarchies of access groups. A sample access group file looks like:

Users:
    george
    cathy
IP Ranges:
    ; anything past a semicolon is a comment
    99.99.99.99; comments can be anywhere
    123.186.40.100-144.186.40.200   ; ip range
    123.186.40.88 ; specific ip
Groups:
    CaliforniaSales
    OregonSales
    WashingtonSales

To create an access group file from the administration frame:

1. Choose the Access Groups tab.
2. Click New Access Group.
3. In the Access Group dialog box, specify a name for the new access group.
4. Use the buttons to create the contents of the access group.
5. Click OK to dismiss the Access Group dialog box.

You may also create the access group file manually in the UserDatabaseManager-Directory directory. When you restart the server, the access group will be loaded and available for use.