<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head profile="http://internetalchemy.org/2003/02/profile">
<link rel="foaf" type="application/rdf+xml" title="FOAF" href="http://www.openlinksw.com/dataspace/uda/about.rdf" />
<link rel="schema.dc" href="http://purl.org/dc/elements/1.1/" />
<meta name="dc.title" content="12. Web Application Development" />
<meta name="dc.subject" content="12. Web Application Development" />
<meta name="dc.creator" content="OpenLink Software Documentation Team ; " />
<meta name="dc.copyright" content="OpenLink Software, 1999 - 2009" />
<link rel="top" href="index.html" title="OpenLink Virtuoso Universal Server: Documentation" />
<link rel="search" href="/doc/adv_search.vspx" title="Search OpenLink Virtuoso Universal Server: Documentation" />
<link rel="parent" href="webappdevelopment.html" title="Chapter Contents" />
<link rel="prev" href="webserver.html" title="The HTTP Server" />
<link rel="next" href="vsp1.html" title="Virtuoso Server Pages (VSP)" />
<link rel="shortcut icon" href="../images/misc/favicon.ico" type="image/x-icon" />
<link rel="stylesheet" type="text/css" href="doc.css" />
<link rel="stylesheet" type="text/css" href="/doc/translation.css" />
<title>12. Web Application Development</title>
<meta http-equiv="Content-Type" content="text/xhtml; charset=UTF-8" />
<meta name="author" content="OpenLink Software Documentation Team ; " />
<meta name="copyright" content="OpenLink Software, 1999 - 2009" />
<meta name="keywords" content="" />
<meta name="GENERATOR" content="OpenLink XSLT Team" />
</head>
<body>
<div id="header">
<a name="wsacl" />
<img src="../images/misc/logo.jpg" alt="" />
<h1>12. Web Application Development</h1>
</div>
<div id="navbartop">
<div>
<a class="link" href="webappdevelopment.html">Chapter Contents</a> | <a class="link" href="webserver.html" title="The HTTP Server">Prev</a> | <a class="link" href="vsp1.html" title="Virtuoso Server Pages (VSP)">Next</a>
</div>
</div>
<div id="currenttoc">
<form method="post" action="/doc/adv_search.vspx">
<div class="search">Keyword Search: <br />
<input type="text" name="q" /> <input type="submit" name="go" value="Go" />
</div>
</form>
<div>
<a href="http://www.openlinksw.com/">www.openlinksw.com</a>
</div>
<div>
<a href="http://docs.openlinksw.com/">docs.openlinksw.com</a>
</div>
<br />
<div>
<a href="index.html">Book Home</a>
</div>
<br />
<div>
<a href="contents.html">Contents</a>
</div>
<div>
<a href="preface.html">Preface</a>
</div>
<br />
<div class="selected">
<a href="webappdevelopment.html">Web Application Development</a>
</div>
<br />
<div>
<a href="webserver.html">The HTTP Server</a>
</div>
<div class="selected">
<a href="wsacl.html">Web Services ACL (Access Control List)</a>
<div>
<a href="#wsaclgenpurpacl" title="General purpose ACLs">General purpose ACLs</a>
<a href="#wsacldefrem" title="ACL Definition/Removal">ACL Definition/Removal</a>
<a href="#wsaclusing" title="Using ACL's Within Application Logic">Using ACL's Within Application Logic</a>
<a href="#wsaclpredefined" title="Predefined ACLs">Predefined ACLs</a>
</div>
</div>
<div>
<a href="vsp1.html">Virtuoso Server Pages (VSP)</a>
</div>
<div>
<a href="vspx.html">Virtuoso Server Pages for XML (VSPX)</a>
</div>
<div>
<a href="rthwritaspxapps.html">Deploying ASP.Net Web Applications</a>
</div>
<div>
<a href="asmxhosting.html">ASMX Web Service Hosting</a>
</div>
<div>
<a href="blogger.html">Blogging & Weblogs</a>
</div>
<div>
<a href="servphpext.html">Deploying PHP Applications</a>
</div>
<div>
<a href="rthjsp.html">Deploying JSP Applications</a>
</div>
<div>
<a href="perlhosting.html">Perl Hosting</a>
</div>
<div>
<a href="pythonhosting.html">Python Hosting</a>
</div>
<div>
<a href="rubyhosting.html">Ruby Hosting</a>
</div>
<br />
</div>
<div id="text">
<a name="wsacl" />
<h2>12.2. Web Services ACL (Access Control List)</h2>
<p>Virtuoso provides a generic access control list for HTTP and other
Internet protocol clients. This mechanism uses wildcard expressions to
selectively block and allow ranges of IP addresses. An ordered set of patterns
is matched against the origin of the request. The first matching pattern's
allow/deny flag determines whether the client is approved or not. </p>
<p>The patterns for designating a range of IP addresses follow the syntax of
the SQL 'LIKE' predicate; i.e. '%.foo.bar' or '*.foo.bar' for example.</p>
<div class="tip">
<div class="tiptitle">See Also:</div>
<p>The <a href="SELECTSTMT.html#LikePredicate">LIKE Predicate & Search Patterns</a> section.</p>
</div>
<p>The following mechanisms for services access restriction are
defined by default:</p>
<ul>
<li>
<strong>Web Server ACL</strong> - controls access to the Web server (basic fire wall)</li>
<li>
<strong>Web Proxy server ACL</strong> - controls access to the Web proxy server</li>
<li>
<strong>News Server ACL</strong> - controls access to the Internet news groups (reading or posting)</li>
</ul>
<a name="wsaclgenpurpacl" />
<h3>12.2.1. General purpose ACLs</h3>
<p>The system table <span class="computeroutput">DB.DBA.HTTP_ACL</span>
is used to persist ACL definitions, which can be managed with simple INSERT/UPDATE/DELETE statements. The table has the following layout:</p>
<p>Columns for DB.DBA.HTTP_ACL:</p>
<ul>
<li>
<strong>HA_LIST</strong> - ACL name </li>
<li>
<strong>HA_ORDER</strong> - Position in the list</li>
<li>
<strong>HA_OBJECT</strong> - Object ID (applicable to news groups also)</li>
<li>
<strong>HA_CLIENT_IP</strong> - *PATTERN*</li>
<li>
<strong>HA_FLAG</strong> - Allow/Deny flag, 0 - allow, 1 - deny</li>
<li>
<strong>HA_RW</strong> - Read/Write flag, 0 - read, 1 - post</li>
<li>
<strong>HA_DEST_IP</strong> - Destination IP/Host (applicable to the proxy also)</li>
<li>
<strong>HA_RATE</strong> - Rate Limit</li>
</ul>
<p>The primary key covers columns HA_LIST, HA_ORDER, HA_CLIENT_IP
and HA_FLAG.</p>
<div class="tip">
<div class="tiptitle">See Also</div>
<p>The full schema is listed in the Appendix under <a href="systemtables.html#tables.db.dba.http_acl">System Tables</a>.</p>
</div>
<div class="formalpara">
<strong>HA_LIST (required)</strong>
<p>Name of the ACL, This is a label to designate a group of rules applicable to a specific
service. There are three pre-defined groups which are: HTTP, NEWS,
PROXY. Please note that name of group is treated as
case-insensitive string. In other words we can think about HA_LIST as domain
of the ACL. Developers can use that table to add their own ACLs , and use them with
API functions which are discussed in the next section.</p>
</div>
<div class="formalpara">
<strong>HA_ORDER (required)</strong>
<p>Ordinal number of the rule within its list. This number
should be unique within a specific group to have a
well defined order of rule matching. Please note that if order is equal the one with
allow flag equal to zero (HA_FLAG value see below) takes precedence.
The order for applying rules for particular list is in ascending order i.e.
first will be applied the rule with the smallest value of
HA_ORDER.</p>
</div>
<div class="formalpara">
<strong>HA_CLIENT_IP (required)</strong>
<p> A pattern to designate separate IP address or group of addresses.
This is a string value as for 'LIKE' operator. Some example is: 192.168.*;
will match all hosts from local private network. </p>
</div>
<div class="formalpara">
<strong>HA_FLAG (required)</strong>
<p> A boolean; zero or positive number designating a rule to be applied
for matching address/host. The default option is zero (false) for allowed action;
positive (true) for denied action. So application may use it in reverse; but in that case
it needs to take in account the order precedence
(see HA_ORDER).</p>
</div>
<div class="formalpara">
<strong>HA_OBJECT (optional)</strong>
<p> An integer designating an ID used in predefined ACL for
Internet News groups to designate ID of the group. This can be used also in
other applications where one desires to apply different rules for different objects. We can think of it as a
sub list inside an ACL.</p>
</div>
<div class="formalpara">
<strong>HA_RW (optional)</strong>
<p> An integer designating a action to be restricted (read/write); used in
predefined Internet News groups ACL. </p>
</div>
<div class="formalpara">
<strong>HA_DEST_IP (optional)</strong>
<p> A string containing pattern to match another IP number;
this is used in Web Proxy server ACL. This can also be used in custom
application logic.</p>
</div>
<div class="formalpara">
<strong>HA_RATE (optional)</strong>
<p> An float for Rate Limit. The filter calculates hit rate average and
compares with limit for http acl rule. If it is larger then will drop connection.
Once per day the statistics will be reset.</p>
<p>The Rate Limit UI can be configured from Conductor->System Admin->Access Control where:</p>
<ul>
<li>Regular expessions are not supported.</li>
<li>Can be used patterns, for ex:
<div>
<pre class="programlisting">
-- like '%something' or
-- something*
</pre>
</div>
</li>
</ul>
<p>Rate limit is hits/per second from one IP address.</p>
<p>For search enging eoptimization statistics, for example can be set rate limit 10 (or even 100 so to
start to collect statistics), and then to check with http_acl_stats () what values are returned.</p>
</div>
<br />
<a name="wsacldefrem" />
<h3>12.2.2. ACL Definition/Removal</h3>
<p>ACL's can be managed from the administration web interface using the
following steps.</p>
<ul>
<li>From Admin UI main menu open "System Admin" node.</li>
<li>Go to Security -> Access Control</li>
<li>By default three default ACLs are listed:
<ul>
<li>HTTP - rules for the Web server </li>
<li>NEWS - rules for the Internet News</li>
<li>PROXY - rules for the Web Proxy Server</li>
<li>PSH and PSH-SSL - available only when the
<a href="http://s3.amazonaws.com/opldownload/uda/vad-packages/6.1/virtuoso/pubsubhub_dav.vad">pubsubhub_dav.vad</a>
is installed.</li>
</ul>
<table class="figure" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<img alt="Access Control" src="../images/ui/admacl.png" />
</td>
</tr>
<tr>
<td>Figure: 12.2.2.1. Access Control</td>
</tr>
</table>
</li>
<li>New ACLs can be added by entering a list name and clicking "Add" button.</li>
<li>Existing ACLs can be edited by clicking on the link "Edit" beside
each listed ACL. </li>
<li>To add new rules, enter the requested information and press
button "Add".</li>
<li>To change the order of the rules use the "top", "bottom", "up" and "down" links.</li>
<li>ACL's can be removed using the Delete button.</li>
</ul>
<p>Alternately the HTTP_ACL table can be directly manipulated with SQL.
To add new rule:</p>
<div>
<pre class="programlisting">
INSERT INTO HTTP_ACL (HA_LIST, HA_ORDER, HA_CLIENT_IP, HA_RATE, HA_FLAG) values
('list_name', <order number>, '*pattern*', <hits_per_second_number>, [1/0]);
</pre>
</div>
<p>To remove existing rule:</p>
<div>
<pre class="programlisting">
DELETE from HTTP_ACL where HA_LIST = 'list_name' and HA_ORDER = <order number>
and HA_FLAG = [1/0] and HA_CLIENT_IP = '*pattern*';
</pre>
</div>
<br />
<a name="wsaclusing" />
<h3>12.2.3. Using ACL's Within Application Logic</h3>
<p>The
<a href="fn_http_acl_get.html">http_acl_get()</a>
function can be used to test an address against an ACL. The
<a href="fn_http_client_ip.html">http_client_ip()</a>
function can be used to determine the IP address or DNS name of a client
machine.</p>
<a name="ex_wsaclwithapps" />
<div class="example">
<div class="exampletitle">Using ACL's with Application Logic</div>
<p>To restrict a 'foo.bar' (network 333.333.333.0) from accessing a SOAP
service one could use the following:</p>
<div>
<pre class="programlisting">
-- deny access from '333.333.333.*'
insert into http_acl (ha_list, ha_order, ha_flag, ha_client_ip) values ('MY_SOAP', 1, 1, '333.333.333.*');
-- allow
insert into http_acl (ha_list, ha_order, ha_flag, ha_client_ip) values ('MY_SOAP', 2, 0, '*');
-- a procedure exposed as SOAP service
create procedure SumService (in a int, in b int) returns int
{
if (0 <> http_acl_get ('MY_SOAP', http_client_ip ()))
signal ('42000', 'Access denied');
return (a + b);
}
</pre>
</div>
</div>
<br />
<a name="wsaclpredefined" />
<h3>12.2.4. Predefined ACLs</h3>
<p>The following ACLs are predefined and have special treatment in Web Server
processing:</p>
<div class="formalpara">
<strong>HTTP</strong>
<p>General Web server ACL, applying rules to
it controls access to the Web server. Thus if this ACL is managed via web UI one
must pay attention not to disable the current connection and render the administration UI inaccessible. The ACL rules for 'HTTP' must contain HA_ORDER,
HA_CLIENT_IP (pattern) and HA_FLAG (access flag) only. The rest of column
values are ignored. To add or remove rules to that list see 'ACL definition/removal'
where HA_LIST must be equal to 'HTTP'. The value of client's IP address will
be tested against rules.</p>
</div>
<div class="formalpara">
<strong>NEWS</strong>
<p>controls access to the separate Internet News groups, restricting
POST or READ access to them. </p>
</div>
<p>All valid rules for 'HTTP' are also valid for 'NEWS' with following difference: </p>
<ul>
<li>HA_OBJECT must be specified as ID of News group to control</li>
<li>HA_RW must be specified as 0/1 to designate which action on group to control: read or post.</li>
</ul>
<p>The HA_LIST must be equal to 'NEWS' if control is managed with SQL statements.
The HA_LIST must be equal to 'NEWS'.</p>
<div class="formalpara">
<strong>PROXY</strong>
<p>This controls access to the Web Proxy Server. Note that Proxy service is
disabled by default and can be enabled with 'HTTPProxyEnabled' INI setting.
This ACL is similar to the HTTP ACL. Additionally, the pattern in HA_DEST_PATTERN must match the destination server.
In this way certain destinations can be restricted.</p>
</div>
<div class="note">
<div class="notetitle">Note:</div>
<p>HTTP ACLs affect PROXY rules. Therefore if HTTP list rejects a request
from a particular client, the proxy access from there also will be rejected. </p>
</div>
<a name="ex_wsacl" />
<div class="example">
<div class="exampletitle">Adding/removing ACL's</div>
<p>To allow access from localhost only:</p>
<div>
<pre class="programlisting">
insert into http_acl (ha_list, ha_order, ha_flag, ha_client_ip) values ('HTTP', 1, 0, '127.0.0.1');
insert into http_acl (ha_list, ha_order, ha_flag, ha_client_ip) values ('HTTP', 2, 1, '*');
</pre>
</div>
<p>To allow only local addresses (private.net/192.168.0.0) to access proxy server.</p>
<div>
<pre class="programlisting">
insert into http_acl (ha_list, ha_order, ha_flag, ha_client_ip, ha_dest_ip)
values ('PROXY', 1, 0, '192.168.1.*', '*');
insert into http_acl (ha_list, ha_order, ha_flag, ha_client_ip, ha_dest_ip)
values ('PROXY', 2, 1, '*', '*');
</pre>
</div>
<p>To deny web access from some domain (bad.domain/333.333.333.0)</p>
<div>
<pre class="programlisting">
insert into http_acl (ha_list, ha_order, ha_flag, ha_client_ip) values ('HTTP', 1, 0, '*');
insert into http_acl (ha_list, ha_order, ha_flag, ha_client_ip) values ('HTTP', 2, 1, '333.333.333.*');
</pre>
</div>
</div>
<br />
<table border="0" width="90%" id="navbarbottom">
<tr>
<td align="left" width="33%">
<a href="webserver.html" title="The HTTP Server">Previous</a>
<br />The HTTP Server</td>
<td align="center" width="34%">
<a href="webappdevelopment.html">Chapter Contents</a>
</td>
<td align="right" width="33%">
<a href="vsp1.html" title="Virtuoso Server Pages (VSP)">Next</a>
<br />Virtuoso Server Pages (VSP)</td>
</tr>
</table>
</div>
<div id="footer">
<div>Copyright© 1999 - 2009 OpenLink Software All rights reserved.</div>
<div id="validation">
<a href="http://validator.w3.org/check/referer">
<img src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0!" height="31" width="88" />
</a>
<a href="http://jigsaw.w3.org/css-validator/">
<img src="http://jigsaw.w3.org/css-validator/images/vcss" alt="Valid CSS!" height="31" width="88" />
</a>
</div>
</div>
</body>
</html>
distrib
>
Fedora
>
14
>
x86_64
>
media
>
updates
>
by-pkgid
>
71d40963b505df4524269198e237b3e3
>
files
>
1001
