JANUS WEB ALLOW

From m204wiki
Jump to navigation Jump to search

Permit access to a web port

The JANUS WEB ALLOW command indicates that a request from a particular user or set of users can have access to any URL that matches a specified pattern (the url value).

Syntax

JANUS WEB portname ALLOW [method] url - [USER user | USGROUP usgroup] - [IPADDR ipaddr | IPGROUP ipgroup] - [[NEWPASSF | NEWPASSF2] fieldname]

portname, method, and url are explained under the JANUS WEB command. The remaining parameters for JANUS WEB ALLOW are described below.

If the JANUS WEB ALLOW command is specified with no optional parameters, it indicates that all users can have access to URLs that match the pattern in url, and that requests for such public URLs are to be run under the explicit or default WEBUSER value from the port definition.

For non-SSL ports, the default ALLOW/DISALLOW rule as of Model 204 7.7 zap 77Z088 (or 7.6 zap 76Z418), is:

JANUS WEB portname DISALLOW *

This rule requires a system administrator to explicitly define ALLOW rules to enable users to access non-SSL ports. Formerly, the rule was JANUS WEB portname ALLOW *, which allowed access to any user and did not require a login. To restore that functionality, use the '1' bit of the WEBDFLT parameter to establish ALLOW * as the default for non-SSL ports.

For SSL ports, the default ALLOW/DISALLOW rules are:

JANUS WEB portname DISALLOW * JANUS WEB portname ALLOW * USER user

where user is the user ID of the user that defined the port.

Note: In no case is there a default rule for the PUT method value, which means that a PUT is not allowed unless explicitly permitted with a JANUS WEB ALLOW rule.

JANUS WEB ALLOW parameters
USER user A user is allowed access to url if he or she provides a user ID and corresponding password for a user ID that matches the pattern in user. For example, if user is HOMER, a user that logs in as HOMER will be allowed access to url. If user is string .SIMP*, a user that logs in as any user ID that begins with "SIMP" will be allowed access to url.

A user value of asterisk (*) indicates that any valid Model 204 login will allow access to url. This is particularly useful if url is processed by an APSY subsystem, in which case USER * forces a Model 204 login, but it leaves access decisions to APSY.

The USER parameter cannot be specified if the USGROUP parameter is specified. It is valid to specify neither USER nor USGROUP. If neither is specified, and a user is allowed access to url on the basis of the rest of the ALLOW rule, the request runs under the WEBUSER user ID taken from the port definition.

USGROUP usgroup A user will be allowed access to url if he or she provides a user ID and corresponding password for a user in the user group identified by usgroup. User groups are defined with the JANUS DEFINEUSGROUP command.

The USGROUP parameter cannot be specified if the USER parameter is specified. It is valid to specify neither USER nor USGROUP. If neither is specified, and a user is allowed access to url on the basis of the rest of the ALLOW rule, the request runs under the WEBUSER user ID taken from the port definition.

IPADDR ipaddr A user on a machine with an IP address that matches ipaddr is allowed access to url. ipaddr can be an IPV4 dotted-decimal address, an IPV6 address (as of version 7.7 of Model 204), or it can be a subnet.
  • IPV4 subnets are indicated by an IP address followed by one of these:
    • A forward slash (/) followed by a netmask (with no intervening blanks)
    • A hyphen (-) followed by the number of bits in the subnet mask (with no intervening blanks)

    For example, 198.242.244.97 is a simple IP address that must be matched exactly. .198.242.244.0/255.255.255.0, which is equivalent to 198.242.244.0-24, indicates that any machine on subnet 198.242.244.0 is to be allowed access to url.

  • IPV6 addresses are 128-bit integers, represented with eight, colon-separated, 16-bit (four hex-digit) groups, which may be abbreviated and represented with fewer groups. For example, fe80:0000:0000:0000:0200:0000:0300:0016 or fe80::200:0:300:16.

    An IPV6 subnet is indicated by the first address in the range, followed by a forward slash, and a decimal value equal to the number of bits in the network prefix. A subnet that includes the example address above is: fe80::200:0/48.

The IPADDR parameter cannot be specified if the IPGROUP parameter is specified. It is valid to specify neither IPADDR nor IPGROUP. If neither is specified, the rule makes no restrictions on the basis of IP address. If IPADDR and USER or USGROUP is specified, a user must satisfy both the IPADDR criterion and the USER or USGROUP criterion to be allowed access to url.

IPGROUP ipgroup A user on a machine with an IP address that is in ipgroup is allowed access to url. IP address groups are defined with the JANUS DEFINEIPGROUP command.

The IPGROUP parameter cannot be specified if the IPADDR parameter is specified. It is valid to specify neither IPGROUP nor IPADDR. If neither is specified, the rule makes no restrictions on the basis of IP address. If IPGROUP and USER or USGROUP is specified, a user must satisfy both the IPGROUP criterion and the USER or USGROUP criterion to be allowed access to url.

NEWPASSF fieldname
| NEWPASSF2 fieldname
An HTTP POST for the specified URL will have its posted form fields scanned for a form field called fieldname:
  • If the field is not present, it is considered a logon error, and Janus Web Server returns a standard error page to the browser, or it runs the LOGONERR rule (described in JANUS WEB exception rules).
  • If the field is present, it is used as a new password for the user. If the new password is accepted, Janus Web Server attempts to run the JANUS WEB rule NEWPASSWORD. If no such rule is present, it returns an "Unauthorized," unless the port is defined with a NEWPASSWORDC parameter, in which case, processing simply continues for the posted URL.

NEWPASSF and NEWPASSF2 are useful for providing a password change form to end-users, rather than depending on end-users entering oldpassword:newpassword in a logon pop-up window. The difference between NEWPASSF and NEWPASSF2 is that NEWPASSF2 requires two occurrences of fieldname in the POST data with identical values. If both values are not provided or they are not identical, it is considered a logon error.

NEWPASSF2 is useful if the users are to be required to enter a new password twice to ensure that a typo doesn't cause the end-user to change his or her password to something unintended (and unknown). If normal JANUS WEB ON rule processing continues for a URL with a NEWPASSF or NEWPASSF2 on the associated JANUS WEB ALLOW rule, the contents of fieldname are not available to the Janus Web Server application.

See also