Access Control Tutorial

General Information

Access control works with the Session based configuration file

Note that the access control-related files, like all configuration files, are read by the server at start-up and when the server is re-configured. If you are experimenting with access control and the changes do not seem to be taking effect, re-configure the server (using the SETWBLCFG command).

How Secure Is It?

Webulator/400 supports host filtering and Basic HTTP authentication for controlling access to configured sessions. Each kind of access control makes it difficult, but not impossible for unauthorized users to access protected sessions. Host filtering lets you allow or disallow access based on the client's domain or IP address. Basic authentication lets you require a user ID and password combination.

In Basic authentication, the user ID and password is not sent over the network as plain text, but it is not encrypted either. It is uuencoded, in essentially the same way as Telnet login IDs and passwords. Basic authentication is similar to Telnet security and is approximately as secure as Telnet.

For maximum security, you will want to combine host filtering and user authentication. This would force a potential intruder to both "spoof" an IP address and to "sniff" the network to find a valid user ID and password.

User Authentication Example

In this example, you will protect the "/Demo/Fun" session, only allowing access by user "DrKatz" using the password "ProfessionalTherapist". This assumes that the server is using the default value for the server root.

Create or modify the session based configuration file.

Ensure the file exists

The server is shipped with the stream file "/Wbl/Cfg/Access.Cfg". If that file is missing, create it.

You can create a new file by copying one we ship for this purpose: /Wbl/Shipped/Cfg/Empty.Cfg. You can copy this file using either the WRKLNK command or the CPY command.

Ensure your master configuration file refers to your access control file.

Enter the following command and press the F4 key:

CHGWBLSVR

The example above assumes that you are using the master configuration file that was shipped with the server. If you are not, specify the name to of the master configuration file you are using.

Change the value of the Session based configuration file path parameter to the access control file you just created: /Wbl/Cfg/Access.Cfg and press the enter key.

Create the /Demo/Fun Session Entry

Use the WRKWBLSSN command to create a /Demo/Fun session. This is the session we are going to set protection for.

Set the session values

Enter the following command and press the F4 key:

CHGWBLSSN CFGFILE('/Wbl/Cfg/WebServ.cfg') DIRECTORY('/Demo/Fun')

Change the value of Authentication realm to 'Fun'. This can actually be anything you want. It is passed to the browser and the browser (usually) displays it to the user so the user knows what they are trying to access and therefore what user name and password they should enter.

Change the value of Authentication type to *BASIC. Webulator/400 currently only supports Basic authentication.

Change the value of User file path to '/Wbl/Cfg/FunUser.cfg'. This tells the server what user file to use when evaluating access to the current session. You will add to the user file in a later step.

Change the value of Signon method to *SCREEN. This tells Webulator/400 to issue a signon display for the beginning of this session.

Create an entry to require the user DrKatz.

Use option 6 within the WRKWBLSSN command to add the REQUIRE entry.

When done, the file should contain a section which looks like the one below:

<Session /Demo/Fun>
    AuthUserFile /Wbl/Cfg/FunUser.cfg
    AuthName Fun
    AuthType Basic

        require user DrKatz

</Session>

Add the "DrKatz" user to your authentication user file.

Enter the following command and press the F4 key:

ADDWBLAUT

As in the prior step, if you are using a different master configuration file than the default, you will need to enter it in the command above.

The User file path parameter should come up as '/Wbl/Cfg/FunUser.cfg'. If it does not, change it.

Enter the user name DrKatz and the password ProfessionalTherapist.

Set the Update executing RPs parameter to *IMMED. This will update your server if it is currently running. If the server is not running yet, start it.

Test your changes

To test your changes, enter [host]/Demo/Fun/ in your browser to attempt to show a sign on display for the /Demo/Fun session.

The browser should ask you to enter authentication information. You will not be allowed to see the Webulator session with a sign on display unless you enter DrKatz for a user name and ProfessionalTherapist for a password.

Host Filtering Example

In this example, you will protect the same /Demo/Fun session, but this time, you will set it up so that only people from the .EDU domain can access it.

Create or modify the session based configuration file.

Follow the instructions from the previous example about how to create or modify the file, but add the following section instead.

<Session /Demo/Fun>

        deny from all
        allow from .edu

</Session>

The deny entry denies all hosts access. Both the deny and allow entries can accept the same parameters. In addition to the examples, you can use IP addresses or more complete domain names.

Ensure your master configuration file refers to your access control file.

See the previous example for instructions about this.

Also see Protecting your AS/400 information