Enportal/5.6/admin/user administration/content creation/generic proxy access control
The Access Control setting in the enPortal Channel Builder gives the administrator control over what resources can be accessed through a given channel. This appendix details the options and usage for this setting.
Purpose of Access Control
To properly establish access controls for channels, it is important to first understand the purpose of the channel and the requirements for any restrictions you will need to apply. You can then apply the appropriate restriction by use of the Access Control option in the Channel Editor.
The URL that is defined for a channel allows the portal administrator to specify precisely what resource should be loaded in the channel when the channel is presented to a portal user. However, the nature of Web content is that within a channel there may be links and other actions through which the user can access other Web resources.
There are times when the administrator would like to give the user full flexibility to navigate to a variety of URLs within a channel. However, there are also times where the administrator would like to guarantee that the channel will only permit certain resources to be accessed in the channel.
An example would be a channel that is designed to display certain sensitive information only from a particular server. Within a proxied application in that channel, there may be a link to other sensitive content on another server which you do not want to be displayed to the user. One way to ensure that the user in the channel is restricted to viewing only content on the permitted server is with the Access Control option in the Channel Editor.
Default Settings
Out of the box, enPortal limits each channel’s access of Web resources to the protocol, host, and port that the channel is configured to use. Initially, each channel’s Access Control property uses the recommended setting for most channels, which is the default setting.
The definition of the default access control setting is configurable. This option looks to a setting in the PORTAL_HOME/config/crs.properties file called crs.accesscontrol.default. This setting selects one of the access control options to apply to any channels set as default. When the portal is first installed, the initial setting in the file is: crs.accesscontrol.default=application.
You can customize this configuration by copying and updating the above line from PORTAL_HOME/config/crs.properties to PORTAL_HOME/config/custom.properties.
If most or all of your channels will use the same Access Control option, one approach is to set them all to
default and then define that option in the custom.properties file. The advantage of this approach is
that if the Access Control setting for all of these channels later needs to be changed, you would only need to
update the single setting in the properties file.
The Configuration of Access Control section below describes the access control settings in detail.
Configuration of Access Control
Perform the following steps to assign Access Control to a channel:
- Create a channel
- On the Channel Editor screen, click on the Access Control drop-down and select the appropriate option.
The table below describes the available Access Control options.
Access Control Option | Description |
---|---|
default | Restriction of URLs accessed in this proxied channel is defined by a global setting in a system properties file.
For more information on this option, see Default Settings above. |
application | URLs accessed in the proxied channel are restricted to those requests that match the host, port, and protocol of the channel’s Full URL Path.
For example, if the channel's target is http://www.yahoo.com, the channel will allow access only to www.yahoo.com using http through port 80. Resources such as https://maps.yahoo.com and http://www.yahoo.com:1234 cannot be accessed through the channel. |
public | URLs accessed in the proxied channel are restricted to those requests that meet one of the following two conditions:
For example, if the channel's Full URL Path is http://www.yahoo.com, the channel will allow navigation to http://www.yahoo.com or http://www.google.com, but not http://127.0.0.1. |
baseur1 | URLs accessed in the proxied channel are restricted to those requests that match the host, port, and protocol of the channel’s Base URL.
For channels with targets, the Base URL implicitly includes the host, port, and protocol of the target in addition to any path that is entered in the Base URL field. For example, if the channel's Base URL is http://www.yahoo.com/images, the channel will allow access to http://www.yahoo.com/images/image1.gif or http://www.yahoo.com/images/USA/index.html. However, resources such as http://www.yahoo.com/html/index.html, https://maps.yahoo.com, and http://maps.google.com cannot be accessed through the channel. |
private | URLs accessed in the proxied channel are restricted to those requests that meet one of the following two conditions:
For example, if the channel's Full URL Path is http://www.yahoo.com, the channel will allow navigation to http://www.yahoo.com or http://127.0.0.1, but not http://www.google.com. |
domain | URLs accessed in the proxied channel are restricted to those requests that match the domain listed in the Full URL Path of the channel.
For example, if the channel's Full URL Path is http://www.yahoo.com, the channel will allow navigation to http://images.yahoo.com or https://maps.yahoo.com, but not http://maps.google.com. |
host | URLs accessed in the proxied channel are restricted to those requests that match the server listed in the Full URL Path of the channel.
For example, if the channel's Full URL Path is http://www.yahoo.com, the channel will allow navigation to <tt><nowiki>http://www.yahoo.com, https://www.yahoo.com, or http://www.yahoo.com:1234, but not http://maps.yahoo.com or http://maps.google.com. |
allowall | There is no restriction of what URLs can be accessed through this proxied channel. However, restrictions can be applied through enPortal security controls to manage which users have permission to view the channel. |
denyall | The channel is disabled from accessing any URL. This option is typically used in conjunction with custom allow rules defined in runtime CRS files. |