Access Control Example


The example below assumes the directory based configuration file contains the following entries. Note that the indentation shown below is purely for readability. The server will work the same way regardless of any indentation.
<Directory />

    AuthType Basic
    AuthName Example
    AuthUserFile  /wwwserv/cfg/user.cfg
    AuthGroupFile /wwwserv/cfg/group.cfg

    <Limit get>
        order allow,deny
        allow from all
        deny from .edu
    </Limit>

</Directory>


<Directory /abc>

    <Limit get>
        order allow,deny
        allow from .ncsa.edu
        deny from .inetmi.com
    </Limit>

</Directory>


<Directory /123>

    <Limit get>
        order mutual-failure
        allow from .inetmi.com .net
        deny from xyz.inetmi.com
    </Limit>

</Directory>


<Directory /abc/def>

    <Limit get>
        order deny,allow
        allow from hoohoo.ncsa.edu
        deny from .ncsa.edu
    </Limit>

</Directory>


<Directory /UserAuth>

    <Limit get>
        require group Development user FictionalUser1
    </Limit>

</Directory>

Directory Root Example

This entry allows any host except those ending in .edu to get documents in the root or any directory below it. The directory entries for /abc, /abc/def, /123 and /UserAuth contain overriding limit sections, but all other subdirectories on the host will use this entry.

Note that the allow entry is redundant because all hosts are allowed by default.

Directory /abc Example

This limit section still disallows hosts that end in .edu unless they end in .ncsa.edu, in which case they are allowed. It also disallows hosts that end in .inetmi.com.

Except for the directory /abc/def (which contains an overriding limit section), this limit will apply to all subdirectories.

Directory /123 Example

Because the order in this limit section is mutual-failure, any previous allows and denies are ignored. In this directory (and all subdirectories), every host that ends in .inetmi.com or .net will be allowed except for the host xyz.inetmi.com.

Directory /abc/def Example

Note that even though this entry is not listed directly below the /abc entry, the server will evaluate it after the /abc directory section for any documents in /abc/def or below. The order of directory sections within the file is unimportant. They will always be evaluated from the root of IFS down to the document being evaluated.

After this section is processed, any host that ends in .ncsa.edu will not be allowed unless it is hoohoo.ncsa.edu. Any host that ends in .inetmi.com will also not be allowed (because of the limit section in the parent directory). All other hosts will be allowed.

Directory UserAuth

First host filtering will be applied to allow any host except those ending in .edu. Then user authorization will be applied to only allow User name/password combinations for the group Development or the user FictionalUser1.


Also see Protecting your AS/400 information