Webserver 7 - Keyfile DB authentication - NOT working
Hello All,
I have installed Webserver 7.0 on a windows 2000 server machine.
Everything works fine except the keyfile / user authentication.
I want to restrict web access of specific folders (URI) to specific users.
here's what I did;
1- removed the already created keyfile DB.
2- created another db (called it authdb). It is a basic keyfile DB, not digest.
3- created a user, called it user1 and specified a password.
4- created an ACI below the default and es-internal to Allow all access rights to 'user1' on the URI /folder1 ... from anyplace and continue is enabled.
when I try to access a file inside that folder xx.xx.xx.xx/folder1/file.zip; I am being asked to authenticate (as expected), and when I do (using user1 and the password I already set), the authentication fails...
Any ideas?
Here's all I can see the logs:
=====
security
[NSACL4340] HTTP5096: ACL_GetAttribute: All attribute getters declined for attr "user" [NSACL4340] HTTP5096: ACL_GetAttribute: All attribute getters declined for attr "isvalid-password" [NSACL6000] HTTP5239: default is not a registered database [NSACL6000] HTTP5239: default is not a registered database
-
28/Jun/2007:15:36:09 security for host 192.168.x.x trying to GET /folder1/, acl-state reports: HTTP5187: access of c:/program files/sun/webserver7/https-vault/docs/folder1/ denied because evaluation of ACL default directive 2 failed
=====
Second paragraph looks normal since I could not authenticate.
Thanks in advance for any help.
# 1
Assuming "authdb" is the name of auth-db you just created and you have created a file of the name "myauthdb" in config directory. server.xml should look like :
<default-auth-db-name>authdb</default-auth-db-name>
<auth-db>
<name>authdb</name>
<url>file</url>
<property>
<name>syntax</name>
<value>keyfile</value>
</property>
<property>
<name>keyfile</name>
<value>myauthdb</value>
</property>
</auth-db>
default.acl should look like:
version 3.0;
acl "default";
authenticate (user, group) {
prompt = "Sun Java System Web Server";
};
allow (read, execute, info) user = "anyone";
allow (list, write, delete) user = "all";
acl "es-internal";
allow (read, execute, info) user = "anyone";
deny (list, write, delete) user = "anyone";
acl "uri=/folder1";
deny (all) user="anyone";
allow (all) user="user1";
Instead of making authdb the default authdb, you can also (optionally) add ACL in the following way :
acl "uri=/folder1";
authenticate (user, group) {
prompt = "Sun Java System Web Server";
database = "authdb";
};
deny (all) user="anyone";
allow (all) user="user1";
mva at 2007-7-12 21:44:28 >
# 2
The logs clearly indicates that the "default" ACL is trying to locate the default database which does n't exist (default authentication database is "keyfile" which you have deleted), hence the ACL evaluation fails.
The simplest solution of the problem is to change the default authentication database to the one of the available authentication databases.
You can easily do that via Administration GUI
- Go to the "Authentication Databases" page
- Select one of the authentication databases in the table
- Click on the "Set As Default" button on the table
- Deploy the configuration
