6.1SP6 and ACL
Hello,
I'm using 6.1 now for a long time and today I tried to use some ACLs like:
version 3.0;
acl "default";
authenticate (user, group, ip) {
prompt = "Microsoft IIS 17.4";
};
allow (read, execute, info) user = "anyone";
allow (list, write, delete) user = "all";
acl "es-internal";
allow (read, execute, info) user = "anyone";
deny (list, write, delete) user = "anyone";
acl "uri=/my/path/";
allow absolute (read, execute, info) ip = "my.ip.*";
deny (all) ip = "*";
It works in most cases but I get a problem when I call "/my/path":
There is no default-page in "/my/path" but I don't get "No default page"
when I call it from "my.ip.*" or "Forbidden" when I call it from some other
IP - I'm requested with the authentication prompt.
When I call "/my/path/correct.htm" or "/my/path/nopage.htm" I get what
I'm expecting (both from "my.ip.*" and from other IPs).
Is there a problem with my ACL or my obj.conf or is this a bug?
Regards
-pro-
[1090 byte] By [
pro7a] at [2007-11-26 18:57:42]
# 1
I guess the authentication prompt appears because you have "allow"ed the "list"
right for "all". If you remove "list" from the allow rights for "all" in the default acl,
all requests for "/my/path" (if it does not contain a default page) will start getting
a Forbidden response.
To open up "list" right for requests to "/my/path/" from "my.ip.*", you can add "list" to
the rights allowed for "my.ip.*" in the acl specific to "/my/path".
I'm not sure how to setup a "No Default Page" response for 61sp6, maybe someone
else can answer that for you.
# 2
> [...] If you remove "list" from the allow
> rights for "all" in the default acl, [...]
Thank you very much, yes this works ...
>
> To open up "list" right for requests to "/my/path/"
> from "my.ip.*", you can add "list" to
> the rights allowed for "my.ip.*" in the acl specific
> to "/my/path".
This does not work, but that's no problem, I don't need it (at the moment)
>
> I'm not sure how to setup a "No Default Page"
> response for 61sp6, maybe someone
> else can answer that for you.
I've done it in obj.conf with
Error fn="query-handler" reason="Server Error" path="/path/errors/nodefault.csh"
where nodefault.csh is a CSH-script that generates the reply-page depending
on $SERVER_URL and some other variables; works good for what I'm doing
Thank you
-pro-
pro7a at 2007-7-9 20:37:24 >
