ACCESS_CONTROL

The ACCESS_CONTROL element specifies access from a list of IP allowed to access applications or services.

Access can be globally denied or allowed by keywords (NOBODY, ALL) .

By default, an application or a service is not accessible by anyone. It needs to be explicitly configured with the ALLOW_FROM element.

Syntax

<ACCESS_CONTROL> 
 [<ALLOW_FROM>["NOBODY|ALL|ip_address"]</ALLOW_FROM>][...]
</ACCESS_CONTROL>

The ip_address is a valid IPv4 or IPv6 address. For IPv4 it can be a complete IP address or a network address (ending with a dot)..

Important: Depending on the network configuration, it is not always possible to get the actual client IP address. If there is a proxy server between the client and the server, for example, the client IP address seen by the GAS may be the address from the proxy server.

Child elements

Zero or more ALLOW_FROM elements.

Example

<ACCESS_CONTROL> 
  <ALLOW_FROM>127.0.0.1</ALLOW_FROM>
  <ALLOW_FROM>10.</ALLOW_FROM>
  <ALLOW_FROM>192.168.</ALLOW_FROM>
  <ALLOW_FROM>fdbd:2768:c176:1::323a</ALLOW_FROM> 
</ACCESS_CONTROL>

In this example, an application or a service is reachable from the localhost (127.0.0.1), and all IP addresses that begin with "192.168." or "10.". The consecutive colons ( :: ) notation in "fdbd:2768:c176:1::323a" shows an example of a collapsed IPv6 address, where the colons represent four successive 16-bit blocks that contain zeros.

Example configuring access control for demo applications

The default deployment of the demo application is specified by the resource res.access.control, which is defined with the value NOBODY by default.

Note: Access control rules will be ignored by the standalone dispatcher (httpdispatch).

Important: The standalone GAS is for development only, provided to simplify your development setup and configuration. For deployment and production systems, you must include a Web server.

To allow access from the localhost, in the GAS configuration file (default FGLASDIR/etc/as.xcf) you need to change the application element for gwc-demo from:

<!--Sample application for GWC-->
<APPLICATION Id="gwc-demo" Parent="defaultgwc">
    <EXECUTION>
      <PATH>$(res.path.fgldir.demo)</PATH>
      <MODULE>demo.42r</MODULE>
      <ACCESS_CONTROL>
          <ALLOW_FROM>$(res.access.control)</ALLOW_FROM>
      </ACCESS_CONTROL>
    </EXECUTION>
</APPLICATION>

To:

 <!--Sample application for GWC-->
<APPLICATION Id="gwc-demo" Parent="defaultgwc">
    <EXECUTION>
      <PATH>$(res.path.fgldir.demo)</PATH>
      <MODULE>demo.42r</MODULE>
      <ACCESS_CONTROL>
         <ALLOW_FROM>127.0.0.1 </ALLOW_FROM>
      </ACCESS_CONTROL>
    </EXECUTION>
</APPLICATION>

Parent elements

This element is a child of one of the following elements: