Authentication and authorization enforcement, Host-based access control, Host-based access control -4 – Oracle B12255-01 User Manual
Page 134
Authentication and Authorization Enforcement
8-4
Oracle HTTP Server Administrator’s Guide
Authentication and Authorization Enforcement
Oracle HTTP Server provides user authentication and authorization at two stages:
■
(stage one)
: This is based on the details of the
incoming HTTP request and its headers, such as IP addresses or host names.
■
User Authentication and Authorization
(stage two)
: This is based on different
criteria depending on the HTTP server configuration. The server can be
configured to authenticate users with user name and password pairs that are
checked against a list of known users and passwords.
Host-based Access Control
Early in the request processing cycle, access control is applied, which can inhibit
further processing based on the host name, IP address, or other characteristics such
as browser type. You use the deny, allow, and order directives to set this type of
access control. These restrictions are configured with Oracle HTTP Server
configuration directives and can be based on particular files, directories, or URL
formats using the
container directives
as shown in the
:
Example 8–1
Host-based Access Control
<Directory /internalonly/>
order deny, allow
deny from all
allow from 192.168.1 us.oracle.com
</Directory>
In
, the order directive determines the order in which Oracle HTTP
Server reads the conditions of the deny and allow directives. The deny directive
ensures that all requests are denied access. Then, using the allow directive,
requests originating from any IP address in the 192.168.1.* range, or with the
domain name us.oracle.com are allowed access to files in the directory
/internalonly/
. It is common practice to specify both allow and deny in
host-based authentication to make the access policy explicit.