Enportal/5.4/admin/user administration/content creation/generic proxy access control

Revision as of 15:17, 19 December 2013 by imported>Jason.nicholls (1 revision)



The Access Control setting in the enPortal Channel Builder gives the administrator control over what resources can be accessed through a given channel. This appendix details the options and usage for this setting.


Purpose of Access Control


To properly establish access controls for channels, it is important to first understand the purpose of the channel and the requirements for any restrictions you will need to apply. You can then apply the appropriate restriction by use of the Access Control option in the Channel Editor.
The URL that is defined for a channel allows the portal administrator to specify precisely what resource should be loaded in the channel when the channel is presented to a portal user. However, the nature of Web content is that within a channel there may be links and other actions through which the user can access other Web resources.
There are times when the administrator would like to give the user full flexibility to navigate to a variety of URLs within a channel. However, there are also times where the administrator would like to guarantee that the channel will only permit certain resources to be accessed in the channel. An example would be a channel that is designed to display certain sensitive information only from a particular server. Within a proxied application in that channel, there may be a link to other sensitive content on another server which you do not want to be displayed to the user. One way to ensure that the user in the channel is restricted to viewing only content on the permitted server is with the Access Control option in the Channel Editor.

Template-warning.png
enPortal users who have permission to edit a channel or create a channel can make changes to the Access Control settings. Before granting these privileges to a user, it is important to consider the potential repercussions of any changes they could make to the channel’s Access Control.


Default Settings


Out of the box, enPortal limits each channel’s access of Web resources to the protocol, host, and port that the channel is configured to use. Initially, each channel’s Access Control property uses the recommended setting for most channels, which is the default setting.

The definition of the default access control setting is configurable. This option looks to a setting in the PORTAL_HOME/config/crs.properties file called crs.accesscontrol.default. This setting selects one of the access control options to apply to any channels set as default. When the portal is first installed, the initial setting in the file is: crs.accesscontrol.default=application.
You can customize this configuration by copying and updating the above line from PORTAL_HOME/config/crs.properties to PORTAL_HOME/config/custom.properties. If most or all of your channels will use the same Access Control option, one approach is to set them all to default and then define that option in the custom.properties file. The advantage of this approach is that if the Access Control setting for all of these channels later needs to be changed, you would only need to update the single setting in the properties file. The Configuration of Access Control section below describes the access control settings in detail.


Configuration of Access Control


Perform the following steps to assign Access Control to a channel:

  1. Create a channel
  2. On the Channel Editor screen, click on the Access Control drop-down and select the appropriate option.


The table below describes the available Access Control options.

Access Control Option Description
default Restriction of URLs accessed in this proxied channel is defined by a global setting in a system properties file.

For more information on this option, see Default Settings above.

application URLs accessed in the proxied channel are restricted to those requests that match the host, port, and protocol of the channel’s Full URL Path.

For example, if the channel's target is http://www.yahoo.com, the channel will allow access only to www.yahoo.com using http through port 80. Resources such as https://maps.yahoo.com and http://www.yahoo.com:1234 cannot be accessed through the channel.

public URLs accessed in the proxied channel are restricted to those requests that meet one of the following two conditions:
  1. The host, port, and protocol of the requested resource matches those in the Full URL Path of the channel.
  2. The requested resource is not part of a private network from the standpoint of the requestor (as defined under private description below).

For example, if the channel's Full URL Path is http://www.yahoo.com, the channel will allow navigation to http://www.yahoo.com or http://www.google.com, but not http://127.0.0.1.

baseur1 URLs accessed in the proxied channel are restricted to those requests that match the host, port, and protocol of the channel’s Base URL.
Template-note.png
For channels with targets, the Base URL implicitly includes the host, port, and protocol of the target in addition to any path that is entered in the Base URL field. For example, if the channel's Base URL is http://www.yahoo.com/images, the channel will allow access to http://www.yahoo.com/images/image1.gif or http://www.yahoo.com/images/USA/index.html. However, resources such as http://www.yahoo.com/html/index.html, https://maps.yahoo.com, and http://maps.google.com cannot be accessed through the channel.
private URLs accessed in the proxied channel are restricted to those requests that meet one of the following two conditions:
  1. The host, port, and protocol of the requested resource matches those in the Full URL Path of the channel.
  2. The requested resource is part of a private network from the standpoint of the requestor. The private netmasks are configurable, but by default are defined as any of the following: 10.0.0.0/255.0.0.0, 192.168.0.0/255.255.0.0, 172.16.0.0/255.240.0.0, or 127.0.0.0/255.255.255.0. You can customize these configurations by copying one or more of the crs.accesscontrol.network.private settings from PORTAL_HOME/config/crs.properties to PORTAL_HOME/config/custom.properties.

For example, if the channel's Full URL Path is http://www.yahoo.com, the channel will allow navigation to http://www.yahoo.com or http://127.0.0.1, but not http://www.google.com.

domain URLs accessed in the proxied channel are restricted to those requests that match the domain listed in the Full URL Path of the channel.

For example, if the channel's Full URL Path is http://www.yahoo.com, the channel will allow navigation to http://images.yahoo.com or https://maps.yahoo.com, but not http://maps.google.com.

host URLs accessed in the proxied channel are restricted to those requests that match the server listed in the Full URL Path of the channel.

For example, if the channel's Full URL Path is http://www.yahoo.com, the channel will allow navigation to <tt><nowiki>http://www.yahoo.com, https://www.yahoo.com, or http://www.yahoo.com:1234, but not http://maps.yahoo.com or http://maps.google.com.

allowall There is no restriction of what URLs can be accessed through this proxied channel. However, restrictions can be applied through enPortal security controls to manage which users have permission to view the channel.
denyall The channel is disabled from accessing any URL. This option is typically used in conjunction with custom allow rules defined in runtime CRS files.


Template-tip.png
The options listed in the table above will handle the access control needs of most channels. If specific controls are needed that cannot be handled by one of the standard options, you can accomplish this by configuring the necessary controls in an XML file to be applied as a runtime CRS file to the appropriate channel(s).