iPlanet request-processing

Oracle iPlanet Webserver

Request Processing

ZeroProductionIncidents.wordpress.com


Topics Covered• Basic Concepts

– Directives– Templates– Server Variables

• Request Processing Stages– AuthTrans– NameTrans– PathCheck– ObjectType– Input– Output– Route– Service– AddLog– Error

• Summary• Default obj.conf file


DirectivesA directive is a statement that defines a setting within the Web Server.Directives invoke Server Application Functions(SAF) at various request processing stages.

Format of a Directive:<Directive> fn=“<function-name>” name1=“value1” ... nameN=“<valueN>”where,

– <Directive> is the one of the Request Processing stage.– <function-name> is the name of the function, which is provided by default or

loaded using the load-modules function provided in magnus.conf file.– Name1,name2,..nameN are the parameters passed to the function.

The Order in which directives appear becomes important if the directives are conditionally executed.


Templates• Directives can be grouped together to form a Templates(Objects).• Templates help in processing the Directives on conditional basis.• The order in which Templates appear is not important.• There exists one template with the name “default”.

– The Directives present in default object are used to process every request.– Directives for standard Request Processing are provided after installation in

default template.– Server will start without default template, but it will not process the requests.

Default template is mandatory for the Request Processing.


Server Variables• Web Server variables begin with a dollar sign character ($), followed by either

upper- or lowercase letters as the next character. Subsequent characters can include any combination of upper- or lowercase alphanumeric characters or underscores (_).

• Server Variables can be – Predefined Variables– Defined at request time through the use of set-variable SAF– Virtual Server Specific variables defined at <virtual-server> level– Server variables defined at the <server> level


Request Processing Stages• Webserver has predefined stages for the entire Request Handling

Process.• Set of related functions are grouped together to perform tasks within

the Request Handling Process.• Server may call many functions to perform the work of Request

Processing.• There might be zero or more Directives within each stage.


Error

Output

Input

ObjectType

PathCheck

NameTrans

AddLog

Service

AuthTrans

Route

Request

Available Info from Previous Phases:• -

Input:• Authorization info in Request HTTP Header

Output:• Status of User Authentication, if Header info available• User details


Error

Output

Input

ObjectType

PathCheck

NameTrans

AddLog

Service

AuthTrans

Route

Request

Comments:• AuthTrans stands for Authorization Translation.• Get User Identity as part of HTTP Header Info.• Validates the Authenticity of User Credentials .i.e., checks if the username and

password associated with the request are acceptable• This Phase doesn’t Allow or Deny any Requests.• When a request arrives, the AuthTrans stage checks whether the Authorization

HTTP header exists; if it does, the AuthTrans stage validates the authenticity of the user’s credentials.

• If there are more than one AuthTrans directives defined for the object, the Web Server processes each directive in sequential order until one succeeds in authorizing the user. As soon as a match occurs, processing within the stage is completed and subsequent AuthTrans directives are ignored.


Error

Output

Input

ObjectType

PathCheck

NameTrans

AddLog

Service

AuthTrans

Route

Request

basic-auth: calls a custom function to verify authorization information sent by the client.Ex;

AuthTrans fn=basic-auth auth-type=basic userfn=hardcoded_auth Userdefined function hardcoded_auth is being used to verify user credentials.

basic-ncsa: The basic-ncsa function verifies authorization information sent by the client against a databaseEx; AuthTrans fn=basic-ncsa auth-type=basic dbm=/netscape/server4/userdb/rs

get-sslid: The get-sslid function retrieves a string that is unique to the current SSL session, and stores it as the ssl-id variable in the Session->client parameter block.

Qos-handler: examines the current quality of service statistics for the virtual server, virtual server class, and global server, logs the statistics, and enforces the QOS parameters by returning an error


Error

Output

Input

ObjectType

PathCheck

NameTrans

AddLog

Service

AuthTrans

Route

Request

Available Info from Previous Phases:• Status of User Authentication

Input:• Request URI

Output:• OS related File/Directory


Error

Output

Input

ObjectType

PathCheck

NameTrans

AddLog

Service

AuthTrans

Route

Request

Comments:

• NameTrans stands for Name Translation.• For the Operating System, it is files and Directories. So, the webserver must

convert the Request URI to the OS related File or Directory.• NameTrans directives translate virtual URLs to physical directories/files on the

Web server


Error

Output

Input

ObjectType

PathCheck

NameTrans

AddLog

Service

AuthTrans

Route

Request

assign-name: specifies the name of an object in obj.conf that matches the current request. The server then processes the directives in the named object in preference to the ones in the default object. Ex;

NameTrans fn=assign-name name=myapp from=/zeroproductionincidents...<Object name=myapp>...additional directives..</Object>

After processing the NameTrans directive, server looks for an named object myapp in obj.conf and start processing the objectives in myapp object.

document-root: specifies the root document directory for the server.Ex;

NameTrans fn=document-root root=/usr/netscape/server4/docs


Error

Output

Input

ObjectType

PathCheck

NameTrans

AddLog

Service

AuthTrans

Route

Request

home-page: specifies the home page for the server.Whenever a client requests the server's home page (/), they'll get the document specified.Ex;

NameTrans fn="home-page" path="homepage.html"

pfx2dir: replaces a directory prefix in the requested URL with a real directory name. It also optionally allows you to specify the name of an object that matches the current requestEx;

NameTrans fn=“pfx2dir” from=“/images/banner” dir=“/homepage/defaultimages” name=“myimages”

servername/images/banner/logo.gif will be translated to the file /homepage/defaultimages/logo.gif and server also starts processing the directives in the object named myimages.


Error

Output

Input

ObjectType

PathCheck

NameTrans

AddLog

Service

AuthTrans

Route

Request

redirect: lets you change URLs and send the updated URL to the clientEx;

NameTrans fn=“redirect” from=“/” url-prefix=“http://newserver”

Any request for http://server-name/resource is translated to a request for http://newserver/resource

unix-home: translates user names (typically of the form ~username) into the user's home directory on the server's Unix machine.Ex;

NameTrans fn=“unix-home” from=“/~” subdir=“public_html”

servername/~ will be translated to the user subdirectory “public_html” within the user's home directory.


Error

Output

Input

ObjectType

PathCheck

NameTrans

AddLog

Service

AuthTrans

Route

Request

Available Info from Previous Phases:• Status of User Authentication • Related OS File/Directory from the Request URI

Input:• OS File/Directory path

Output:•


Error

Output

Input

ObjectType

PathCheck

NameTrans

AddLog

Service

AuthTrans

Route

Request

Comments:PathCheck Directives perform the following tasks on the resulting path:

• Cleanup any malicious directories (ex;. \,.\,.. etc.) and dangerous elements.

• Determine whether the requested resource is a web application or a directory in the file system and verification of its existence.

• Access Control Processing to determine whether the user is allowed to access the requested resource.


Error

Output

Input

ObjectType

PathCheck

NameTrans

AddLog

Service

AuthTrans

Route

Request

check-acl: • specifies an Access Control List (ACL) to use to check whether the client is allowed to

access the requested resource. • An access control list contains information about who is or is not allowed to access a

resource, and under what conditions access is allowed. • You can also specify under what conditions (i.e., client IP address, day of week, or

authentication method) that the access is granted.• Regardless of the order of PathCheck directives in the object, check-acl functions are

executed first. They cause user authentication to be performed, if required by the specified ACL, and will also update the access control state.

Ex;

PathCheck fn="check-acl" acl="default"Default acl is applied on the requests, where path for default can be specified in the server.xml file.


Error

Output

Input

ObjectType

PathCheck

NameTrans

AddLog

Service

AuthTrans

Route

Request

check-acl:

• If an ACL specifies access based on a particular user or group and the user is not known (i.e., has not authenticated), Web Server responds to the client with a status of 401 (Unauthorized) and completes the processing of the request.

• This status informs the browser that it needs to open a dialog box to prompt the user for a username and password.

• The browser sends the credentials, along with the original URL, to the Web Server where they will then be validated in the AuthTrans stage.

• If access is denied, the server switches to executing directives in the Error stage, where a status code of 403 (Forbidden) is returned to the client.


Error

Output

Input

ObjectType

PathCheck

NameTrans

AddLog

Service

AuthTrans

Route

Request

deny-existence: sends a "not found" message when a client tries to access a specified path. The server sends "not found" instead of "forbidden," so the user cannot tell whether the path exists or not. Ex;

PathCheck fn=deny-existence path=/mysite/docs/private

find-index: investigates whether the requested path is a directory. If it is, the function searches for an index file in the directory, and then changes the path to point to the index file.If no index file is found, the server generates a directory listing (if directory listing is turned on). Ex;

PathCheck fn=find-index index-names=index.html,home.html


Error

Output

Input

ObjectType

PathCheck

NameTrans

AddLog

Service

AuthTrans

Route

Request

find-links: Searches the current path for symbolic or hard links to other directories or file systems. If any are found, an error is returned. Disable -> h is hard links.

s is soft links o allows symbolic links from user home directories only if the user owns the

target of the link. Ex;

PathCheck fn=find-links disable=sh dir=/foreign-dir

find-path-info: finds any extra path information after the file name in the URL and stores it for use in the CGI environment variable PATH_INFO. Ex;

PathCheck fn=find-pathinfo


Error

Output

Input

ObjectType

PathCheck

NameTrans

AddLog

Service

AuthTrans

Route

Request

get-client-cert: gets the authenticated client certificate from the SSL3 session. It can apply to all HTTP methods, or only to those that match a specified pattern. It only works when SSL is enabled on the server. Ex;

PathCheck fn="get-client-cert" dorequest="1"

find-path-info: finds any extra path information after the file name in the URL and stores it for use in the CGI environment variable PATH_INFO. Ex;

PathCheck fn=find-pathinfo


Request Processing Stages - Summary

AuthTrans Get User Identity as part of HTTP Header Info.Validates the Authenticity of User Credentials.

NameTrans Translates requested URI to Webserver resource.

PathCheck Cleanup any Malicious directories

ObjectTypeInput OutputRouteServiceAddLogError

ZeroProductionIncidents.wordpress.comDefault obj.conf file<Object name="default">

AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"NameTrans fn="ntrans-j2ee" name="j2ee"NameTrans fn="pfx2dir" from="/mc-icons" dir="F:/Wissen-Public/Lab-Env/Servers/iPlanet/lib/icons" name="es-internal"PathCheck fn="uri-clean"PathCheck fn="check-acl" acl="default"PathCheck fn="find-pathinfo"PathCheck fn="find-index-j2ee"PathCheck fn="find-index" index-names="index.html,home.html,index.jsp"ObjectType fn="type-j2ee"ObjectType fn="type-by-extension"ObjectType fn="force-type" type="text/plain"Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"Service method="TRACE" fn="service-trace"Error fn="error-j2ee"AddLog fn="flex-log"

</Object><Object name="j2ee">

Service fn="service-j2ee" method="*"</Object><Object name="es-internal">

PathCheck fn="check-acl" acl="es-internal"</Object><Object name="cgi">

ObjectType fn="force-type" type="magnus-internal/cgi"Service fn="send-cgi"

</Object><Object name="send-precompressed">

PathCheck fn="find-compressed"</Object><Object name="compress-on-demand">

Output fn="insert-filter" filter="http-compression"</Object>

AuthTrans

NameTrans

PathCheck

ObjectType

Input

Output

Route

Service

AddLog

Error

iPlanet request-processing

Technology

Transcript of iPlanet request-processing