ACCESS_CONTROL

The ACCESS_CONTROL element specifies access from a list of IP allowed to access applications or services.

Syntax

<ACCESS_CONTROL> 
   [<ALLOW_FROM>...</ALLOW_FROM>][...]
</ACCESS_CONTROL>

Child elements

Zero or more ALLOW_FROM elements.

Usage

You use this element to specify what users have access to applications or services. By default, an application or a service is not accessible by anyone. It needs to be explicitly configured with ALLOW_FROM elements.

<ACCESS_CONTROL> 
  <ALLOW_FROM>127.0.0.1</ALLOW_FROM>
  <ALLOW_FROM>10.</ALLOW_FROM>
  <ALLOW_FROM>192.168.</ALLOW_FROM>
  <ALLOW_FROM>fdbd:2768:c176:1::323a</ALLOW_FROM> 
</ACCESS_CONTROL>

In this example, an application or a service is reachable from the localhost (127.0.0.1), and all IP addresses that begin with "192.168." or "10.", or the IPv6 address "fdbd:2768:c176:1::323a" .

Important: Depending on the network configuration, it is not always possible to get the actual client IP address. If there is a proxy server between the client and the server, for example, the client IP address seen by the GAS may be the address from the proxy server.

Example configuring access control for demo applications

Access to the default deployment of the demo application is defined by the resource res.access.control, which is set to the value NOBODY to prevent unauthorized execution.

Note:

Access control rules are ignored by the standalone dispatcher (httpdispatch).

To allow access from the localhost, in the GAS (default $FGLASDIR/etc/as.xcf) configuration file you need to change the application element for demo from:

<!--Sample application for GWC-->
<APPLICATION Id="demo" Parent="defaultwa">
  <EXECUTION>
    <ENVIRONMENT_VARIABLE Id="FGLPROFILE" Concat="APPEND">$(res.path.fgldir.demo.services)/fglprofile</ENVIRONMENT_VARIABLE>
    <!--ENVIRONMENT_VARIABLE Id="FGLWSDEBUG">3</ENVIRONMENT_VARIABLE-->
    <PATH>$(res.path.fgldir.demo)</PATH>
    <MODULE>demo.42m</MODULE>
    <ACCESS_CONTROL>
      <ALLOW_FROM>$(res.access.control)</ALLOW_FROM>
    </ACCESS_CONTROL>
  </EXECUTION>
</APPLICATION>

To:

<!--Sample application for GWC-->
<APPLICATION Id="demo" Parent="defaultwa">
  <EXECUTION>
    <ENVIRONMENT_VARIABLE Id="FGLPROFILE" Concat="APPEND">$(res.path.fgldir.demo.services)/fglprofile</ENVIRONMENT_VARIABLE>
    <!--ENVIRONMENT_VARIABLE Id="FGLWSDEBUG">3</ENVIRONMENT_VARIABLE-->
    <PATH>$(res.path.fgldir.demo)</PATH>
    <MODULE>demo.42m</MODULE>
    <ACCESS_CONTROL>
      <ALLOW_FROM>127.0.0.1</ALLOW_FROM>
    </ACCESS_CONTROL>
  </EXECUTION>
</APPLICATION>

Example configuring access control for Genero Identity Provider

Access to the Genero Identity Provider applications is specified by the resource res.gip.access.control. This is set with the value NOBODY by default.

To allow users to have access to the StarterApp for its initial launch, you need to change the GAS (default $FGLASDIR/etc/as.xcf) configuration file for res.gip.access.control to ALL:

<RESOURCE Id="res.gip.access.control" Source="INTERNAL">ALL</RESOURCE>

After setting up the GIP, remember to reset the resource back to NOBODY to restrict access and prevent users from running the StarterApp. In production, ensure that the resource is also set to NOBODY for the same reason.

For more details about methods to configure access for the StarterApp, refer to the Configure the GIP page in the Single Sign-On User Guide.

Parent elements

This element is a child of one of the following elements: