OS/2 Spezial

home *** CD-ROM | disk | FTP | other *** search

/ OS/2 Spezial / SPEZIAL2_97.zip / SPEZIAL2_97.iso / ANWEND / ONLINE / SREFV12J / CONFIGS.ZIP / addacc.cnf < prev next >

Wrap

Text File | 1997-05-25 | 8KB | 181 lines

<h1>Add a Selector-specific access control</h1> <b>Selctor-specific</b> <em>(SEL-specific) </em> access controls are used to selectively restrict access to <STRONG>resources on your server</STRONG>. This provides a more refined control mechanism then requring a logon -- you can tailor, on a user specific level, the resources each client will have access to. <p> <FORM ACTION="/srefconf" METHOD="GET"> <input type="hidden" name="SET" value="add_access"> <ul> <LI>Enter a selector:<INPUT TYPE="text" NAME="URL" VALUE="" SIZE=50 MAXLENGTH=80> <LI>Enter a <em>space delimited</em> list of <b>resource</B> privileges: <INPUT TYPE="text" NAME="privs" VALUE="" SIZE=40 MAXLENGTH=80> <li><em>optional ..</em> Enter an <em>identifying realm</em> for this selector: <INPUT TYPE="text" NAME="REALM" VALUE="" SIZE=20 MAXLENGTH=20> </ul> <BR><INPUT TYPE="submit" VALUE="Add this Entry"> <hr> <h3>Advanced Options </h3> The following options permit you to more finely control how SRE-Filter handles this <em>request selector</em>. Or, you can skip this section with no ill effect. <p> The <b>Access Failure File </b>: <INPUT TYPE="text" NAME="failfile" SIZE=40 MAXLENGTH=80> <pre> <STRONG>Access Permissions:</STRONG> <INPUT TYPE="CHECKBOX" NAME="no_ssi" VALUE="1" >NO_SSI <INPUT TYPE="CHECKBOX" NAME="no_ssp" VALUE="1" >NO_SSP <INPUT TYPE="CHECKBOX" NAME="no_code" VALUE="1" >NO_CODE <INPUT TYPE="CHECKBOX" NAME="NO_HTACCESS" VALUE=1>NO_HTACCESS <INPUT TYPE="CHECKBOX" NAME="NO_VIRTUAL" VALUE=1>NO_VIRTUAL <INPUT TYPE="CHECKBOX" NAME="NO_ALIAS" VALUE=1>NO_ALIAS <INPUT TYPE="CHECKBOX" NAME="NO_POSTFILTER" VALUE=1>NO_POSTFILTER <INPUT TYPE="CHECKBOX" NAME="CACHE" VALUE="1" >CACHE <INPUT TYPE="CHECKBOX" NAME="PUT" VALUE="1" >PUT <INPUT TYPE="CHECKBOX" NAME="DELETE" VALUE="1" >DELETE </pre> </FORM> $CANCEL <hr> <h2> Notes </h2> SRE-FILTER uses <em>SEL-specific</em> access control to selectively restrict access to <b>resources on your server</b>. More precisely (<A HREF="/srefconf?show=allow_access">assuming that you've enabled resource specific access controls</A>): <ol> <li> Each request <em>selector</em> is compared against the list of <em>SEL-specific</em> access control entries. More precisely, the <em>request selector</em> recieved from the client is compared against this list. <LI> If a match is found, the <b>resource privileges</b> associated with this entry are extracted. <LI> The <A HREF="/srefconf?show=add_user">client's privileges</A> are compared against this list of <b>resource privileges</b>. <LI><ul><LI> If <b>any</b> of the <em>client's privileges</em> occur in the list of <b>resource privileges</b>, she will be granted access to the resource (represented by the selector). <LI> If there is no match (and only one match is required), an Unauthorized response will be returned. </ul> </ol> <h3> Definitions</h3> <dl> <dt><b>Resources on your server</b> <dd><b>Resources on your server</b> are any file, or service, provided by your server. This includes: <ul><LI> HTML documents <LI> GIF and other images <LI> miscellaneous files you wish to disseminate (such as .ZIP files) <LI> execution of CGI-Bin scripts, (with subsequent transmital of the output of the script) <LI> execution of SRE-Filter add-ons. </ul> <dt><b>Request selector </b> <dd> When a client sends a request to a server, it contains three components: the http method, the <em>selector, </em> and the http protocol. <br> For example: GET /FOO1/BAR.HTM HTTP/1.0 <br> SRE-Filter's documentation refers to the <b>request <em>selector </em> </b> as this middle component, with leading / stripped, and character decoding performed. <br>In the above example, the <b>request selector</b> would be <tt>FOO1/BAR.HTM</tt>. </dl> See the <a href="/samples/srefiltr.htm#terminology">Terminology Appendix</a> of the SRE-Filter manual for more definitions. <h3> More notes </h3> <ul> <LI>In the <b>Enter a selector</b> field, you can use an asterisk (<b>*</b>) as a wildcard character. For example, if you enter FOO/BAR/*, then all request selectors that start with FOO/BAR (i.e.; FOO/BAR/A1.HTM and FOO/BAR/ZZ/TOP.HTM) will match this entry. <blockquote> Exact matches are always used if they exist. If there is no exact match, and if multiple wildcard matches occur, the <EM>best </EM>match is used; where <EM>best </EM> is defined as the match with the most characters before the * (the wildcard) character (and in the event of ties, the most after). </blockquote> <LI> The <b>resource privileges</b> list should be a (space delimited) list. <BR>For example:<b> SALMON TROUT HALIBUT </b> <blockquote> this example means that if a client has a <b>SALMON</b>, a <b>TROUT</b>, or a <b>HALIBUT</b> privilege, she will be granted access to the resource. </blockquote> <LI> If you place an asterisk (<b>*</b>) in the <b>resource privileges</b> list, then <b>all</b> clients will have access to this resource (note that when an * occurs in a <b>resource privileges</b> list, all other items in the list are ignored). <LI>A <b>NO</b> in the <b>resource privileges</b> list means that access will be granted to SUPERUSERS and In-House users <b>only</b>. <LI> The <em>identifying realm</em> is transmitted to the client along with the UnAuthorized response. It will be used as the <em>realm name</em> in the username/password box of the client's browser. <LI> <EM> SEL-specific access control</EM> entries are stored in: $access_file <p> <li> The<EM> SEL-specific access control</EM> entries can be used to <A HREF="/samples/srefiltr.htm#access_control"> control a number of additional features</A> <LI> An alternative to the use of <EM> SEL-specific access control</EM> is to use <A HREF="/srefconf?show=do_htaccess">HTACCESS files</A>. <LI> A more detailed discussion of SRE-Filter's access control capabilities can be found in the <A HREF="samples/srefiltr.faq">SRE-Filter FAQ</A>. </ul> <a name="permissions"><h3>Access Control Permissons</h3></a> These <em>permissions</em> apply to <em>just this selector </em> (or, if you used an *, to just this set of selectors). <pre> NO_SSI : Suppress server side includes. NO_SSP : Suppress server side processing. NO_CODE : Suppress SELECT and INTERPRET CODE ssi-keyphrases. NO_CODE is a subset of NO_SSP (that is, if NO_SSP is present, then NO_CODE is irrelevant) CACHE : ALWAYS cache this selector (assuming GoServe's caching is enabled). Typically, if logon controls or access controls are in place, then caching is disabled. Use of CACHE allows one to override this general rule for. PUT : Allow PUT method requests to "copy information to" the directory represented by this selector (also used by GET_URL and PUT_FILE facilities) DELETE : Allow DELETE method request to "delete" the file represented by this selector. NO_HTACCESS: Suppress the HTACCESS method. NO_ALIAS : Suppress SRE-Filter "aliasing." NO_VIRTUAL : Suppress virtual directory lookup. NO_POSTFILTER: Suppress post-filter processing (such as common-log auditing, and augmentation of the SRE-Filter RECORD_ALL file). See the <a href="/samples/srefiltr.htm#urlpermissions">SRE-Filter manual</a> for further details. </pre> <h3> The Access Failure File </h3> The <b>Access Failure File</b> is used if the client is not granted access to this selector. Should this occur, the <b>Access Failure File </b> can be used as a <em>response file </em>. <p> See the description of the ACCESS_FAIL_FILE in <a href="/samples/initfilt.doc">INITFILT.DOC</a> for further details. <p>