Access Control Example


The example below assumes the session based configuration file contains the following entries. Note that the indentation shown below is purely for readability. The server will work the same way regardless of any indentation.
<Session />

    AuthType Basic
    AuthName Example
    AuthUserFile  /wbl/cfg/user.cfg
    AuthGroupFile /wbl/cfg/group.cfg

        allow from all
        deny from .edu

</Session>


<Session /abc>

        allow from .ncsa.edu
        deny from .inetmi.com

</Session>


<Session /123>

        order mutual-failure
        allow from .inetmi.com .net
        deny from xyz.inetmi.com

</Session>


<Session /abc/def>

        allow from hoohoo.ncsa.edu
        deny from .ncsa.edu

</Session>


<Session /UserAuth>

        require group Development user FictionalUser1

</Session>

Session Root Example

This entry allows any host except those ending in .edu to access the Webulator/400 session associated with the root (/) or any session below it. The session entries for /abc, /abc/def, /123 and /UserAuth contain overriding access controls, but all other subsessions on the host will use this entry.

Note that the allow entry is redundant because all hosts are allowed by default.

Session /abc Example

These access control directives still disallow hosts that end in .edu unless they end in .ncsa.edu, in which case they are allowed. It also disallows hosts that end in .inetmi.com.

Except for the session /abc/def (which contains overriding access control directives), this limit will apply to all subsessions.

Session /123 Example

Because the order in this limit section is mutual-failure, any previous allows and denies are ignored. In this session (and all subsessions), every host that ends in .inetmi.com or .net will be allowed except for the host xyz.inetmi.com.

Session /abc/def Example

Note that even though this entry is not listed directly below the /abc entry, the server will evaluate it after the /abc session section for this session or any below. The order of session sections within the file is unimportant. They will always be evaluated from the root down to the session being evaluated.

After this section is processed, any host that ends in .ncsa.edu will not be allowed unless it is hoohoo.ncsa.edu. Any host that ends in .inetmi.com will also not be allowed (because of the access control directives in the parent session section). All other hosts will be allowed.

Session UserAuth

First, host filtering will be applied to allow any host except those ending in .edu. Then user authorization will be applied to only allow User name/password combinations for the group Development or the user FictionalUser1.


Also see Protecting your AS/400 information