How Limit Sections Are Evaluated

Limit sections can appear both within the directory based configuration file and the administrative access configuration file. The way that the limit sections are evaluated by the server is identical in both cases.

If the server is evaluating access to a document that exists in a directory for which no limit section is specified and no parent directory has a limit section specified, access will be granted. Otherwise, host filtering will be checked first. If access is allowed after host filtering (this includes the case where host filtering is not being used), user authentication will be checked.

Evaluating Host Filtering

When the server is evaluating whether to give access to a document, it will work its way down the directory tree from the IFS root, evaluating host filtering in each limit section from the highest directory (closest to the IFS root) to the lowest (closest to the document being evaluated). Limit sections apply to one or more methods (client request types).

For host filtering, the limit section directives are order, allow and deny. The order directive specifies the order in which the allow and deny directives are evaluated. The allow directive is used to add hosts which have access to a directory. The deny directive removes hosts which have access to a directory.

For the order values allow,deny and deny,allow, each limit section may turn access on, turn it off or do nothing. Access will be turned on if the client's host matches an allow entry. It will be turned off if the host matches a deny entry. If neither the deny or allow entry matches the client's host, access will not be changed for that limit section. If both match the client's host, access will be set by the last entry evaluated (this depends on the order entry).

If order is set to mutual-failure, access will only be allowed if the client's host matches an allow entry and does not match a deny entry. Note that the effect of this is to ignore any previously evaluated (higher) limit sections.

Evaluating User Authentication

To evaluate user authentication, the server will find the limit section nearest to the document being evaluated (farthest from the IFS root) that contains a require directive. If no such limit section is found, access will be granted.

When evaluating the require entry(ies), the current authentication type, authentication user file and (possibly) authentication group file are used. If user authentication fails, the realm specified by the current authentication realm name is sent back to the browser to be displayed to the user when the browser prompts for a user name and password.

Also see Protecting your AS/400 information