JANUS WEB ALLOW: Difference between revisions
m (update ALLOW rule default) |
(→Syntax) |
||
Line 20: | Line 20: | ||
<p> | <p> | ||
This rule requires a system administrator to explicitly define <var>ALLOW</var> rules to enable users to access non-SSL ports. | This rule requires a system administrator to explicitly define <var>ALLOW</var> rules to enable users to access non-SSL ports. | ||
Formerly, the rule was <code>JANUS WEB <i>portname</i> ALLOW *</code>, which allowed access to any user and did not require a login. </p> | Formerly, the rule was <code>JANUS WEB <i>portname</i> ALLOW *</code>, which allowed access to any user and did not require a login. To restore that functionality, use the '1' bit of the <var>[[WEBDFLT parameter|WEBDFLT]]</var> parameter to establish <code>ALLOW *</code> as the default for non-SSL ports.</p> | ||
<p> | <p> | ||
For SSL ports, the default <var>ALLOW/DISALLOW</var> rules are: | For SSL ports, the default <var>ALLOW/DISALLOW</var> rules are: |
Latest revision as of 02:13, 2 July 2019
Permit access to a web port
The JANUS WEB ALLOW command indicates that a request from a particular user or set of users can have access to any URL that matches a specified pattern (the url value).
Syntax
JANUS WEB portname ALLOW [method] url - [USER user | USGROUP usgroup] - [IPADDR ipaddr | IPGROUP ipgroup] - [[NEWPASSF | NEWPASSF2] fieldname]
portname, method, and url are explained under the JANUS WEB command. The remaining parameters for JANUS WEB ALLOW are described below.
If the JANUS WEB ALLOW command is specified with no optional parameters, it indicates that all users can have access to URLs that match the pattern in url, and that requests for such public URLs are to be run under the explicit or default WEBUSER value from the port definition.
For non-SSL ports, the default ALLOW/DISALLOW rule as of Model 204 7.7 zap 77Z088 (or 7.6 zap 76Z418), is:
JANUS WEB portname DISALLOW *
This rule requires a system administrator to explicitly define ALLOW rules to enable users to access non-SSL ports.
Formerly, the rule was JANUS WEB portname ALLOW *
, which allowed access to any user and did not require a login. To restore that functionality, use the '1' bit of the WEBDFLT parameter to establish ALLOW *
as the default for non-SSL ports.
For SSL ports, the default ALLOW/DISALLOW rules are:
JANUS WEB portname DISALLOW * JANUS WEB portname ALLOW * USER user
where user is the user ID of the user that defined the port.
Note: In no case is there a default rule for the PUT method value, which means that a PUT is not allowed unless explicitly permitted with a JANUS WEB ALLOW rule.
USER user | A user is allowed access to url if he or she provides a user ID and corresponding password for a user ID that matches the pattern in user. For example, if user is HOMER , a user that logs in as HOMER will be allowed access to url. If user is string .SIMP* , a user that logs in as any user ID that begins with "SIMP" will be allowed access to url.
A user value of asterisk (*) indicates that any valid Model 204 login will allow access to url. This is particularly useful if url is processed by an APSY subsystem, in which case The USER parameter cannot be specified if the USGROUP parameter is specified. It is valid to specify neither USER nor USGROUP. If neither is specified, and a user is allowed access to url on the basis of the rest of the ALLOW rule, the request runs under the WEBUSER user ID taken from the port definition. |
---|---|
USGROUP usgroup | A user will be allowed access to url if he or she provides a user ID and corresponding password for a user in the user group identified by usgroup. User groups are defined with the JANUS DEFINEUSGROUP command.
The USGROUP parameter cannot be specified if the USER parameter is specified. It is valid to specify neither USER nor USGROUP. If neither is specified, and a user is allowed access to url on the basis of the rest of the ALLOW rule, the request runs under the WEBUSER user ID taken from the port definition. |
IPADDR ipaddr | A user on a machine with an IP address that matches ipaddr is allowed access to url. ipaddr can be an IPV4 dotted-decimal address, an IPV6 address (as of version 7.7 of Model 204), or it can be a subnet.
The IPADDR parameter cannot be specified if the IPGROUP parameter is specified. It is valid to specify neither IPADDR nor IPGROUP. If neither is specified, the rule makes no restrictions on the basis of IP address. If IPADDR and USER or USGROUP is specified, a user must satisfy both the IPADDR criterion and the USER or USGROUP criterion to be allowed access to url. |
IPGROUP ipgroup | A user on a machine with an IP address that is in ipgroup is allowed access to url. IP address groups are defined with the JANUS DEFINEIPGROUP command.
The IPGROUP parameter cannot be specified if the IPADDR parameter is specified. It is valid to specify neither IPGROUP nor IPADDR. If neither is specified, the rule makes no restrictions on the basis of IP address. If IPGROUP and USER or USGROUP is specified, a user must satisfy both the IPGROUP criterion and the USER or USGROUP criterion to be allowed access to url. |
NEWPASSF fieldname | NEWPASSF2 fieldname |
An HTTP POST for the specified URL will have its posted form fields scanned for a form field called fieldname:
NEWPASSF and NEWPASSF2 are useful for providing a password change form to end-users, rather than depending on end-users entering oldpassword:newpassword in a logon pop-up window. The difference between NEWPASSF and NEWPASSF2 is that NEWPASSF2 requires two occurrences of fieldname in the POST data with identical values. If both values are not provided or they are not identical, it is considered a logon error. NEWPASSF2 is useful if the users are to be required to enter a new password twice to ensure that a typo doesn't cause the end-user to change his or her password to something unintended (and unknown). If normal JANUS WEB ON rule processing continues for a URL with a NEWPASSF or NEWPASSF2 on the associated JANUS WEB ALLOW rule, the contents of fieldname are not available to the Janus Web Server application. |