iSeries 400 HTTP protection- Case03

iSeries 400 HTTP protection

Case name	CASE03
Objective	Using Validation Lists and Access Control List (ACL) files
Introduction	You may use ACL files in conjunction with validation lists to further limit access to specific files on a protected directory in one of the following integrated file system: Root(/) file system, QLanSvr, QOpenSys, QDLS. Each protected directory can have only one ACL file. The ACL file must be named www_acl and must be present on the protected directory. Within the ACL file, each line contains a rule that limits access based on file name HTTP method authorized users, groups, or addresses See this page of the manual for detail description of ACL file lines. How does it work? Normally, the mask subdirectives in the protection setup define the first level of access control, and then the ACL file further limits access to individual files. However, if you want all control from to come from the ACL file, you must use the ACLOverride subdirective with a value of On in the protection setup. This causes the mask subdirectives in the protection setup to be ignored when a protected directory contains an ACL file. How do you define an ACL file? You may use ADMIN both to define an ACL file and to maintain file protection lines (see later on this page). Another important benefit from using ACL files is that you may assign priviledges to single internet users or to groups of internet users within a validation list. This is what we are going to do in this example. It will be clear at the end of it.
Case description	We want to protect pages /websecure/case* in such a way that only the following internet users may access it: must belong to validation list VLDL01 in library WEBSECURE must belong to group file group01.grp in root directory /websecure must belong to a group named bat
Solution	See how that was done.

1. ADMIN

Here is how we used ADMIN to fullfil our objective.

Step 1 - Define the ACL file

Get ADMIN AS/400 Tasks page
Click on IBM HTTP server for AS/400
Click on Configuration and Administration
Click on Configurations and select CONFIG
Click on Access control list at about the bottom of the left frame

Click on Next to go to Step 2

Step 2 - Define the ACL file (continued)

Access control lists

Protected directory: /websecure

Index	Files	Authorized methods	User or group list
Example	*	GET	All
Example	*.html	GET, POST	geese
Example	golden.*	GET, POST	geese, @bean.stalk.*

Index:	Insert before	Replace
	Insert after	Remove

Protected files:

Authorized methods:

GET	CONNECT
HEAD	OPTIONS
POST	TRACE
PUT	DELETE

User or group list:

Check for valid certificate with one or more certificate distinguished name settings ... etc. ...

Click on Apply to create ACL file www_acl in root directory /websecure.
This ACL file has then the following contents:

case* : GET : bat

which has the following meaning:

if files in path /websecure are protected through a protection setup with a subdirective ACLOverride On
then all files starting by case support just the http GET method and are accessible only to an internet user or a group list named bat.

Step 3 - Define the internet users for group bat

Click on Internet Users to get a sublist
Click on Add Internet user

Click on Apply to add this internet user

Then add, with the same validation list, group file and group, another internet user named robin with password robin.

As a result of this, group file /websecure/group01.grp has now the following contents:

music: giovanni
bat: batman, robin

As you see, this group file defines two groups:

group music containing just user giovanni (that was done in Case02)
group bat containing users batman and robin

Step 4 - Create a protection setup

Click on Protection to get a sublist
Click on Create protection setup

Click on Next to go to Step 5

Step 5 - Create a protection setup (continued)

Step 5

Create protection setup

Configuration: Config
Protection setup: CASE03

Authentication

User/Password Authentication

Protection realm:
Choose one user/password authentication option:

	Prompt for user/password using AS/400 profile
	Prompt for user/password using validation list Validation list:
	Prompt for user/password using an LDAP server LDAP server setup name:

Authorization

User ID:
Group file:
Masks:
DELETE:
GET:
POST:
PUT:
All:
Allow ACL files to override protection settings

Click on Apply to complete your protection setup

Step 6 - Document protection

Note. In this step we are going to use a shortcut name /websecf/* for the path to root directory /websecure.
See our http directives.

Click on Document protection, to define the documents to be protected through the Protection Setup just created

Document protection

Configuration: Config

Index	URL template	Protection setup	Server IP address or host name
Example	/restricted/*	WEB_MASTERS	9.83.29.4
Example	/Usage/*	PROT_ADMIN
Example	/Documents/*		host.ibm.com
1	/websechs/case01try*	CASE01
2	/websechs/case02try*	CASE02

Index:	Insert before	Replace
	Insert after	Remove

URL template:
Define protection settings:	In-line
	Named protection setup:
Server IP address or host name:
Authentication options for in-line document protection: Always prompt for user/password Use SSL client authentication

2a. HTTP directives

ADMIN would add the following protection directives to our http directives
(you could have entered them manually in the http server configuration file, using WRKHTTPCFG command):

protection setup directives (yellow area)
Document Protection directives (green area)

Click on the underlined keywords to display the related specifications in publication
SC41-5434 HTTP Server for AS/400 Webmaster's Guide

Protection CASE03 {
       GroupFile /websecure/group01.grp
       PasswdFile WEBSECURE/VLDL01
       ACLOverride On
       GetMask All
       AuthType Basic
       ServerID CASE03_PROTECTION
       UserID WEBUSER01
}

Protect /websecf/case* CASE03

2b. APACHE directives

If you are running HTTP server (powered by Apache) you need to specify the following Apache directives in your httpd.conf configuration file:

<Location /websecf/case*>
   AuthType Basic
   AuthName CASE03_PROTECTION
   GroupFile /websecure/group01.grp
   PasswdFile WEBSECURE/VLDL01
   UserID WEBUSER01
   Require valid-user
</Location>

For detail information about Apache directives, see here.

3. The result

As a result, the first time (since you opened your web browser) you try to access a document protected via this Protection setup,
you receive a dialog box like the following

You may try now.
When you receive the real dialog box, enter

name and password of an internet user documented in validation list WEBSECURE/VLDL01, and mentioned in group file /websecure/group01.grp in the group bat.
For istance
- user batman and password batman
- or user robin and password robin

Username and Password Required

Enter username for CASE03_PROTECTION at nnn.nnn.nnn.nnn

User Name

Password

try to access an URL protected as discussed in this page

What about priviledges then?
As we have mentioned at the beginning of this page:

another important benefit from using ACL files is that you may assign priviledges to single internet users or to groups of internet users within a validation list.

As you may have noticed, we have defined two new internet users (batman and robin) who

belong to validation list /WEBSECURE/VLDL01
belong to group file /sebsecure/group01.grp
belong to group bat within that group file

Now, while it is true that these internet users, by satisfying points 1,2, and 3 are allowed (through protection setup CASE03) to access URL /websecf/case*,
ii is also true that they, by satisfying points 1 and 2, are allowed (through protection setup CASE02) to access URL /websech/case02try*.
You may go back to CASE02 and try to logon as batman or robin. )

In other words, in validation list /WEBSECURE/VLDL01 there are now three internet users: giovanni, batman, and robin.

giovanni is allowed to access URL /websech/case02try*
batman and robin may access URL /websech/case02try* as well, but they can also access URL /websecf/case*

Therefore, batman and robin have more priviledges than giovanni.
Advantages of owning a ... batmobile!