Oracle B12255-01 Manuale Utente

Authentication and Authorization Enforcement

Managing Security

Domain name-based access control can be used

with IP address-based access control to solve the problem of IP addresses changing
without warning. When you combine these methods, if an IP address changes, then
the secure areas of your site are still protected because the domain names you want
to keep out will still be denied access.

To combine domain name-based with IP address-based access control, use the
syntax shown in

:

<Directory /co_backgr/>

  order allow,deny

  allow from all

  # 141.217.24.* is the IP for malicious.cracker.com

  deny from malicious.cracker.com 141.217.24.*

</Directory>

In

, all requests for directory /co_backgr/ are accepted except those

that originate from the domain name malicious.cracker.com or the IP address
141.217.24.* range. Although this is not a fool proof precaution against domain
name or IP address spoofing, it protects your site from malicious.cracker.com
even if they change their IP address.

You can control access based on subsets of

networks, specified by IP address. The syntax is shown in

:

<Directory /payroll/>

  order deny,allow

  deny from all

  allow from 10.1.0.0/255.255.0.0

</Directory>

In

, access is allowed from a network/netmask pair. A netmask shows

how an IP address is to be divided into network, subnet, and host identifiers.
Netmasks enable you to refer to only the host ID portion of an IP address.

The netmask in

, 255.255.0.0, is the default netmask setting for a Class B

address. The binary ones (decimal 255) mask the network ID and the binary zeroes
(decimal 0) retain the host ID of a given IP address.