Access Control
Your options for controlling access to your web with WebSite are similar to the access schemes used by other servers. You can restrict access by user with a user/password system, by the requesting IP address or hostname (class restrictions), or both. Three pages of Server Admin are used for access control.
The Users and Groups pages are where you create users and give them passwords and create groups of users. WebSite also uses the concept of "realms," which are large collections of groups and users. When you want to control access to a URL path on your web, you pick a realm first, and then groups and users in that realm who are permitted access.
The Users page of Server Admin (shown in is for managing users and their passwords; it has three sections:
- Authentication Realm
- You can select an existing realm to use (such as Web Server), create a new realm (by pressing the New button), or delete an existing realm. Your web can have one or multiple realms. You may want to have a separate realm for each virtual server you have. When you create a realm, it has no users.
- User
- You can select an existing user in the realm, change a user's password (by pressing the Password button), or delete a user. The default Web Server realm has an Admin user.
- Group Membership
- You can view and change the group membership status for the selected user. Every realm automatically has an Administrators group and a Users group. All groups you have created within a realm on the Groups page are available here for selection. Every user in a realm is a member of Users, and cannot be removed unless they are deleted altogether.
![[Graphic: Figure 26-7]](figs/wm_2407.gif)
The Groups page of Server Admin (shown in is used for managing groups and groups membership. It has three sections:
- Authentication Realm
- This area works exactly the same as it does on the Users page. Here you select which realm will be affected by the changes you make on the rest of the page. Note that on both the Users and Groups pages, you can create or delete realms.
- Group
- You can select an existing group in a realm, add a new group, or delete a group. Every realm automatically has an Administrators and a Users group. All users in a realm are members of Users and cannot be removed.
- Group Membership
- You can view and change the selected group's membership list. All available users in the selected realm will appear in the non-members box (if they aren't already members). To add a user to the group, select her name and press the Add button. It is easier to add users to groups on the Users page when you create them and set their passwords. If the Group(s) you want to add them to are already created, you can add them there and save a possible extra step.
![[Graphic: Figure 26-8]](figs/wm_2408.gif)
Once you have your users, groups, and realms set up, you can assign access based on them on the Access Control page. Access can also be assigned based on IP address or hostname of the requesting browser. You also use this page to disable automatic directory listings and determine how the server will control access restrictions per URL.
The Access Control page is shown in It has several sections:
- URL Path or Special Function
- You can select, add, or delete a URL path or special function. The URL path cannot specify a file, so all files and subdirectories under that directory have the restrictions applied to them. You can protect any document or CGI directory. To add a new URL path, press the New button. In the popup dialog, type in the new URL path and select a realm to which it will be restricted. Since restrictions are applied by path, many "control points" may exist along a path. The deepest access control point determines the access restrictions at a particular level. In other words, when the server receives a request from a browser, it starts at the level of the request and works up levels until it finds a control point. The server applies the restrictions at that point and stops; it does not look at restrictions above that point. The special functions are URLs that start with a tilde (~) character and are handled in a special way by the server. Some special function URLs only retrieve data, such a ~stats or ~imagemap. Other special function URLs cause the server to perform an administrative task, such as ~cycle-acc or ~cycle-err to cycle the access and error logs. All of the special function URLs in WebSite are on the Access Control list, although only those that cause the server to do something are protected. You cannot delete special functions from the access control list.
- Disable Directory Listings
- This checkbox disables automatic directory listings for the selected URL. Users will be able to view or download documents in that URL directory hierarchy only with the specific filename. You can also add user authentication and class restrictions to a URL with disabled directory listings (i.e., authorized users can receive a directory listing).
- Logical OR Users and Class
- This checkbox tells the server how to evaluate access control. When the box is not checked, the server uses the default method, first looking for class restrictions and then for user authentication (if the class restrictions are met). If the box is checked, the server evaluates both class restrictions and user authentication. If either condition is met, the server returns the requested URL.
- Authorized Users & Groups
- You can view or change the users and/or groups authorized for the selected URL path or special function. The realm for this URL is displayed above the list. If no users or groups are shown in this box, then the URL has no user authentication restrictions.
- Class Restrictions
- In this section of the Access Control page, you specify which connections to the Web are allowed and which are denied. First decide the logic the server should follow in testing connections. Should it first deny and then allow, or first allow and then deny? Which you should choose depends on the scope of restriction. To delete an entry, select the entry from the appropriate box and press Delete. To add a new entry, place the cursor in the appropriate box and press New. A popup dialog will open where you type in the address. Class restrictions accept three kinds of entries:
all, a full or partial IP address, or a full or partial domain name. You can use metacharacters (*and?) to match all or part of either IP addresses or domain names. If you use domain names, you must turn on DNS reverse lookup on the Logging page. The server then looks up the name for the IP address of each requesting node. It is recommended that you don't use domain names or DNS reverse lookup because the extra DNS traffic and waiting time may adversely affect server performance.
Figure 26-9: Access Control page
![[Graphic: Figure 26-9]](figs/wm_2409.gif)