Novell Doc: Novell iChain Administration Guide

11.2 Protected Resource Page

The protected resource is the list of URLs defined by the iChain administrator.

Figure 11-2 Protected Resources Page

11.2.1 Types of Protected Resources

iChain provides three levels of security for protected resources:

Public: No authentication or access control exists for the pages under this protected resource.
Restricted: Authentication exists only for the pages under this protected resource.
Secure : This is the most secured type of protected resource. To access the pages under this protected resource, the user needs to be authenticated through the proper authentication mechanism and also needs to pass through the access control. This is the default selection for the new protected resource.

In simple terms, if a user accesses a URL that has the domain name of an iChain proxy accelerator, the iChain Proxy Server checks with the ISO (found in eDirectory) to determine whether the URL is found in its URL list. Based on the type of access allowed, the proxy makes the decision of whether to grant access. For more details, see the scenarios below.

Scenarios:

Consider that the following is required:

http://ichain.novell.com/index.html should be accessed by all users. The index.html page is found on the Web server at the document root. The index.html page loads GIFs or bitmaps from the /images folder at the document root.
http://ichain.novell.com/restricted/index.html should be accessed by authenticated users. The index.html page loads Gifs or bitmaps from the /restricted/images/ folder at the document root.
http://ichain.novell.com/secure/index.html should be accessed by users who should be authenticated and also should have access control checking. The index.html page loads Gifs or bitmaps from the /secure/images/ folder at the document root.

Resource Name	URL Prefix	Access
Root Index	http://ichain.novell.com/index.html	Public
RootImages	http://ichain.novell.com/images/?	Public
RestrictFolder	http://ichain.novell.com/restrict/*	Restricted
SecureFolder	http://ichain.novell.com/secure/*	Secure

An accelerator is created with a DNS Domain Name of ichain.novell.com and is associated with an authentication profile (authentication is enabled). Consider that we are using an authentication profile that uses an LDAP distinguished name login mechanism. While matching the protected resource URLs, iChain looks for the most specific match in deciding URL access.

Case 1:

When the user accesses the URL, http://ichain.novell.com/index.html, he or she is able to access the page without authenticating. The images required by index.html are successfully loaded from the /images/ folder.

Case 2:

When the user accesses the URL, http://ichain.novell.com/restrict/index.html, he or she receives a login page and has to use his or her LDAP user name and password to view the page.

Case 3:

When the user accesses the URL, http://ichain.novell.com/secure/index.html, he or she receives a login page and must use his or her LDAP user name and password to view the page. If the user has an access control rule that allows him or her to access the page and its dependent resources (for example, gifs and bitmaps), then he or she can view the page. (See Section 12.0, Using iChain Access Control Rules for more information.) If there is no access control rule or if the user is not allowed access to the page or its dependent resources, he or she sees a 403 Forbidden error message and cannot view the page or its dependent resources.

The above cases are summarized in the following table:

Cases	URL Accessed	Authentication Required	Access Control Required
Case I	http://ichain.novell.com/index.html	No	No
Case II	http://ichain.novell.com/restrict/index.html	Yes	Yes
Case III	http://ichain.novell.com/secure/index.html	Yes	Yes

Case 4:

If the accelerator with the DNS domain as iChain.novell.com does not have any type of authentication enabled, all the pages accessed by the user would be seen without any authentication or access control:

URL Accessed	Authentication Required	Access Control Required
http://ichain.novell.com/index.html	No	No
http://ichain.novell.com/restrict/index.html	No	No
http://ichain.novell.com/secure/index.html	No	No

IMPORTANT:Authentication must be enabled for the Public, Restricted, or Secure levels of security to function. If you have no authentication on the accelerator, you are using the iChain server as a caching appliance only.

As shown in the example above, iChain allows you to use wildcard characters when specifying the URL for a protected resource. If the protected resource's URL is absolute, ending with a trailing slash (/), iChain matches only the URL. However, if the protected resource's URL ends with a question mark (?), iChain matches all files in the specified folder. For example, http://ichain.novell.com/dir1/? matches all the files under the dir1 folder. If the protected resource's URL ends with an asterisk (*), iChain matches all the files under the specified folder and all the subfolders and their contents. For example, http://ichain.novell.com/dir1/* matches all files under the dir1 folder and any subfolders below dir1.

You can use wildcard (asterisk - *) folders to define protected resources. The wildcard can be used with one of more folders. The following are examples of how you could define URLs of a protected resource:

<DNS_Domain_Name>/*/public/* <DNS_Domain_Name>/a*/public/ <DNS_Domain_Name>/a*c/public/

NOTE:Using wildcard folders could negatively impact the performance of your system. We recommend that you use this option only if it is required.