iPlanet request-processing
-
Upload
vsjava -
Category
Technology
-
view
2.060 -
download
5
Transcript of iPlanet request-processing
ZeroProductionIncidents.wordpress.com
Topics Covered• Basic Concepts
– Directives– Templates– Server Variables
• Request Processing Stages– AuthTrans– NameTrans– PathCheck– ObjectType– Input– Output– Route– Service– AddLog– Error
• Summary• Default obj.conf file
ZeroProductionIncidents.wordpress.com
DirectivesA directive is a statement that defines a setting within the Web Server.Directives invoke Server Application Functions(SAF) at various request processing stages.
Format of a Directive:<Directive> fn=“<function-name>” name1=“value1” ... nameN=“<valueN>”where,
– <Directive> is the one of the Request Processing stage.– <function-name> is the name of the function, which is provided by default or
loaded using the load-modules function provided in magnus.conf file.– Name1,name2,..nameN are the parameters passed to the function.
The Order in which directives appear becomes important if the directives are conditionally executed.
ZeroProductionIncidents.wordpress.com
Templates• Directives can be grouped together to form a Templates(Objects).• Templates help in processing the Directives on conditional basis.• The order in which Templates appear is not important.• There exists one template with the name “default”.
– The Directives present in default object are used to process every request.– Directives for standard Request Processing are provided after installation in
default template.– Server will start without default template, but it will not process the requests.
Default template is mandatory for the Request Processing.
ZeroProductionIncidents.wordpress.com
Server Variables• Web Server variables begin with a dollar sign character ($), followed by either
upper- or lowercase letters as the next character. Subsequent characters can include any combination of upper- or lowercase alphanumeric characters or underscores (_).
• Server Variables can be – Predefined Variables– Defined at request time through the use of set-variable SAF– Virtual Server Specific variables defined at <virtual-server> level– Server variables defined at the <server> level
ZeroProductionIncidents.wordpress.com
Request Processing Stages• Webserver has predefined stages for the entire Request Handling
Process.• Set of related functions are grouped together to perform tasks within
the Request Handling Process.• Server may call many functions to perform the work of Request
Processing.• There might be zero or more Directives within each stage.
ZeroProductionIncidents.wordpress.com
Error
Output
Input
ObjectType
PathCheck
NameTrans
AddLog
Service
AuthTrans
Route
Request
Available Info from Previous Phases:• -
Input:• Authorization info in Request HTTP Header
Output:• Status of User Authentication, if Header info available• User details
ZeroProductionIncidents.wordpress.com
Error
Output
Input
ObjectType
PathCheck
NameTrans
AddLog
Service
AuthTrans
Route
Request
Comments:• AuthTrans stands for Authorization Translation.• Get User Identity as part of HTTP Header Info.• Validates the Authenticity of User Credentials .i.e., checks if the username and
password associated with the request are acceptable• This Phase doesn’t Allow or Deny any Requests.• When a request arrives, the AuthTrans stage checks whether the Authorization
HTTP header exists; if it does, the AuthTrans stage validates the authenticity of the user’s credentials.
• If there are more than one AuthTrans directives defined for the object, the Web Server processes each directive in sequential order until one succeeds in authorizing the user. As soon as a match occurs, processing within the stage is completed and subsequent AuthTrans directives are ignored.
ZeroProductionIncidents.wordpress.com
Error
Output
Input
ObjectType
PathCheck
NameTrans
AddLog
Service
AuthTrans
Route
Request
basic-auth: calls a custom function to verify authorization information sent by the client.Ex;
AuthTrans fn=basic-auth auth-type=basic userfn=hardcoded_auth Userdefined function hardcoded_auth is being used to verify user credentials.
basic-ncsa: The basic-ncsa function verifies authorization information sent by the client against a databaseEx; AuthTrans fn=basic-ncsa auth-type=basic dbm=/netscape/server4/userdb/rs
get-sslid: The get-sslid function retrieves a string that is unique to the current SSL session, and stores it as the ssl-id variable in the Session->client parameter block.
Qos-handler: examines the current quality of service statistics for the virtual server, virtual server class, and global server, logs the statistics, and enforces the QOS parameters by returning an error
ZeroProductionIncidents.wordpress.com
Error
Output
Input
ObjectType
PathCheck
NameTrans
AddLog
Service
AuthTrans
Route
Request
Available Info from Previous Phases:• Status of User Authentication
Input:• Request URI
Output:• OS related File/Directory
ZeroProductionIncidents.wordpress.com
Error
Output
Input
ObjectType
PathCheck
NameTrans
AddLog
Service
AuthTrans
Route
Request
Comments:
• NameTrans stands for Name Translation.• For the Operating System, it is files and Directories. So, the webserver must
convert the Request URI to the OS related File or Directory.• NameTrans directives translate virtual URLs to physical directories/files on the
Web server
ZeroProductionIncidents.wordpress.com
Error
Output
Input
ObjectType
PathCheck
NameTrans
AddLog
Service
AuthTrans
Route
Request
assign-name: specifies the name of an object in obj.conf that matches the current request. The server then processes the directives in the named object in preference to the ones in the default object. Ex;
NameTrans fn=assign-name name=myapp from=/zeroproductionincidents...<Object name=myapp>...additional directives..</Object>
After processing the NameTrans directive, server looks for an named object myapp in obj.conf and start processing the objectives in myapp object.
document-root: specifies the root document directory for the server.Ex;
NameTrans fn=document-root root=/usr/netscape/server4/docs
ZeroProductionIncidents.wordpress.com
Error
Output
Input
ObjectType
PathCheck
NameTrans
AddLog
Service
AuthTrans
Route
Request
home-page: specifies the home page for the server.Whenever a client requests the server's home page (/), they'll get the document specified.Ex;
NameTrans fn="home-page" path="homepage.html"
pfx2dir: replaces a directory prefix in the requested URL with a real directory name. It also optionally allows you to specify the name of an object that matches the current requestEx;
NameTrans fn=“pfx2dir” from=“/images/banner” dir=“/homepage/defaultimages” name=“myimages”
servername/images/banner/logo.gif will be translated to the file /homepage/defaultimages/logo.gif and server also starts processing the directives in the object named myimages.
ZeroProductionIncidents.wordpress.com
Error
Output
Input
ObjectType
PathCheck
NameTrans
AddLog
Service
AuthTrans
Route
Request
redirect: lets you change URLs and send the updated URL to the clientEx;
NameTrans fn=“redirect” from=“/” url-prefix=“http://newserver”
Any request for http://server-name/resource is translated to a request for http://newserver/resource
unix-home: translates user names (typically of the form ~username) into the user's home directory on the server's Unix machine.Ex;
NameTrans fn=“unix-home” from=“/~” subdir=“public_html”
servername/~ will be translated to the user subdirectory “public_html” within the user's home directory.
ZeroProductionIncidents.wordpress.com
Error
Output
Input
ObjectType
PathCheck
NameTrans
AddLog
Service
AuthTrans
Route
Request
Available Info from Previous Phases:• Status of User Authentication • Related OS File/Directory from the Request URI
Input:• OS File/Directory path
Output:•
ZeroProductionIncidents.wordpress.com
Error
Output
Input
ObjectType
PathCheck
NameTrans
AddLog
Service
AuthTrans
Route
Request
Comments:PathCheck Directives perform the following tasks on the resulting path:
• Cleanup any malicious directories (ex;. \,.\,.. etc.) and dangerous elements.
• Determine whether the requested resource is a web application or a directory in the file system and verification of its existence.
• Access Control Processing to determine whether the user is allowed to access the requested resource.
ZeroProductionIncidents.wordpress.com
Error
Output
Input
ObjectType
PathCheck
NameTrans
AddLog
Service
AuthTrans
Route
Request
check-acl: • specifies an Access Control List (ACL) to use to check whether the client is allowed to
access the requested resource. • An access control list contains information about who is or is not allowed to access a
resource, and under what conditions access is allowed. • You can also specify under what conditions (i.e., client IP address, day of week, or
authentication method) that the access is granted.• Regardless of the order of PathCheck directives in the object, check-acl functions are
executed first. They cause user authentication to be performed, if required by the specified ACL, and will also update the access control state.
Ex;
PathCheck fn="check-acl" acl="default"Default acl is applied on the requests, where path for default can be specified in the server.xml file.
ZeroProductionIncidents.wordpress.com
Error
Output
Input
ObjectType
PathCheck
NameTrans
AddLog
Service
AuthTrans
Route
Request
check-acl:
• If an ACL specifies access based on a particular user or group and the user is not known (i.e., has not authenticated), Web Server responds to the client with a status of 401 (Unauthorized) and completes the processing of the request.
• This status informs the browser that it needs to open a dialog box to prompt the user for a username and password.
• The browser sends the credentials, along with the original URL, to the Web Server where they will then be validated in the AuthTrans stage.
• If access is denied, the server switches to executing directives in the Error stage, where a status code of 403 (Forbidden) is returned to the client.
ZeroProductionIncidents.wordpress.com
Error
Output
Input
ObjectType
PathCheck
NameTrans
AddLog
Service
AuthTrans
Route
Request
deny-existence: sends a "not found" message when a client tries to access a specified path. The server sends "not found" instead of "forbidden," so the user cannot tell whether the path exists or not. Ex;
PathCheck fn=deny-existence path=/mysite/docs/private
find-index: investigates whether the requested path is a directory. If it is, the function searches for an index file in the directory, and then changes the path to point to the index file.If no index file is found, the server generates a directory listing (if directory listing is turned on). Ex;
PathCheck fn=find-index index-names=index.html,home.html
ZeroProductionIncidents.wordpress.com
Error
Output
Input
ObjectType
PathCheck
NameTrans
AddLog
Service
AuthTrans
Route
Request
find-links: Searches the current path for symbolic or hard links to other directories or file systems. If any are found, an error is returned. Disable -> h is hard links.
s is soft links o allows symbolic links from user home directories only if the user owns the
target of the link. Ex;
PathCheck fn=find-links disable=sh dir=/foreign-dir
find-path-info: finds any extra path information after the file name in the URL and stores it for use in the CGI environment variable PATH_INFO. Ex;
PathCheck fn=find-pathinfo
ZeroProductionIncidents.wordpress.com
Error
Output
Input
ObjectType
PathCheck
NameTrans
AddLog
Service
AuthTrans
Route
Request
get-client-cert: gets the authenticated client certificate from the SSL3 session. It can apply to all HTTP methods, or only to those that match a specified pattern. It only works when SSL is enabled on the server. Ex;
PathCheck fn="get-client-cert" dorequest="1"
find-path-info: finds any extra path information after the file name in the URL and stores it for use in the CGI environment variable PATH_INFO. Ex;
PathCheck fn=find-pathinfo
ZeroProductionIncidents.wordpress.com
Request Processing Stages - Summary
AuthTrans Get User Identity as part of HTTP Header Info.Validates the Authenticity of User Credentials.
NameTrans Translates requested URI to Webserver resource.
PathCheck Cleanup any Malicious directories
ObjectTypeInput OutputRouteServiceAddLogError
ZeroProductionIncidents.wordpress.comDefault obj.conf file<Object name="default">
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"NameTrans fn="ntrans-j2ee" name="j2ee"NameTrans fn="pfx2dir" from="/mc-icons" dir="F:/Wissen-Public/Lab-Env/Servers/iPlanet/lib/icons" name="es-internal"PathCheck fn="uri-clean"PathCheck fn="check-acl" acl="default"PathCheck fn="find-pathinfo"PathCheck fn="find-index-j2ee"PathCheck fn="find-index" index-names="index.html,home.html,index.jsp"ObjectType fn="type-j2ee"ObjectType fn="type-by-extension"ObjectType fn="force-type" type="text/plain"Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"Service method="TRACE" fn="service-trace"Error fn="error-j2ee"AddLog fn="flex-log"
</Object><Object name="j2ee">
Service fn="service-j2ee" method="*"</Object><Object name="es-internal">
PathCheck fn="check-acl" acl="es-internal"</Object><Object name="cgi">
ObjectType fn="force-type" type="magnus-internal/cgi"Service fn="send-cgi"
</Object><Object name="send-precompressed">
PathCheck fn="find-compressed"</Object><Object name="compress-on-demand">
Output fn="insert-filter" filter="http-compression"</Object>
AuthTrans
NameTrans
PathCheck
ObjectType
Input
Output
Route
Service
AddLog
Error