Oracle B12255-01 Manuale Utente

Authentication and Authorization Enforcement

Oracle HTTP Server Administrator’s Guide

Oracle HTTP Server provides user authentication and authorization at two stages:

■

: This is based on the details of the

incoming HTTP request and its headers, such as IP addresses or host names.

■

: This is based on different

criteria depending on the HTTP server configuration. The server can be
configured to authenticate users with user name and password pairs that are
checked against a list of known users and passwords.

Early in the request processing cycle, access control is applied, which can inhibit
further processing based on the host name, IP address, or other characteristics such
as browser type. You use the deny, allow, and order directives to set this type of
access control. These restrictions are configured with Oracle HTTP Server
configuration directives and can be based on particular files, directories, or URL
formats using the

, and

 container directives

as shown in the

:

<Directory /internalonly/>

  order deny, allow

  deny from all

  allow from 192.168.1 us.oracle.com

</Directory>

In

, the order directive determines the order in which Oracle HTTP

Server reads the conditions of the deny and allow directives. The deny directive
ensures that all requests are denied access. Then, using the allow directive,
requests originating from any IP address in the 192.168.1.* range, or with the
domain name us.oracle.com are allowed access to files in the directory
/internalonly/

. It is common practice to specify both allow and deny in

host-based authentication to make the access policy explicit.