Restriction: This topic applies only when the Enterprise Server feature is enabled.
These options are checked for each request.
[options]
logging=logging-level
[trace]
trace=trace-option
[virtual paths]
<default>=default-directory
element=file-system-path
[allow]
element=list-of-filenames
[security]
restricted=restrict-option
authentication=authentication-types
class=resource-class-name
realm=HTTP-realm
The
[options] section has a single setting,
logging, which enables additional logging messages when set to "1" or a string beginning with "y". The
trace setting in the
[trace] section, added in
Enterprise Server 5.0, has the same effect; it has been added for consistency with other conversation types.
The
[virtual paths] section is used to translate between the top-level path elements specified in URLs and the actual file-system directories
they correspond to. For example, for the URL
http://host/path/to/file, the
[virtual paths] section will be consulted for an entry for
path. Entries in this section are case-sensitive.
For a more detailed explanation of the way these settings work, see
Deployment Services and Listeners.
The
[allow] section is used to restrict what files the Web connector will serve out of a given directory.
Security for the Web conversation type
Beginning with
Enterprise Server 5.0, the Web conversation type supports additional security mechanisms. These are configured in the
[security] section. (Administrators should also consider enabling SSL/TLS, using the
Enterprise Server firewall mechanism, and restricting Web listeners to the loopback interface. See
Security Considerations for Service Deployment.)
The
[security] section can contain the following settings:
- restricted=restrict-option
- If this is set to "1" or a value beginning with "y", deployment is restricted. This means:
- The
Enterprise Server instance must have External Security enabled.
- Deployment requests must be authenticated. Currently username/password and client certificate authentication are supported.
- Optionally, deployment requests can also require authorization. An authorization request will be made to the External Security
Facility, using the resource class "Enterprise Server Web", the virtual directory from the deployment request, and the appropriate
permission ("read" to retrieve deployment logs, "add" and "execute" to add a service). If this class is not defined to the
External Security Manager(s), the deployment request is permitted; otherwise, authorization must be granted by ESF or the
deployment request will be rejected.
- authentication=authentication-types
- This configures what types of authentication are permitted for this listener.
authentication-types is a list of tokens, separated by spaces or commas. They are case-insensitive. Available values are:
- MF is a proprietary mechanism for passing username and password. This is used in older versions of
Enterprise Server and can be enabled for backward compatibility.
- HTTP is HTTP Basic Authentication, a standard way to send a username and password.
- Cert (or
Certificate) enables authentication using registered client certificates.
- Register, like
Cert, enables client certificate authentication. It also enables
automatic registration of client certificates using HTTP Basic Authentication.
- class
- Sets the class name to be used when authorizing a deployment request. The default is "Enterprise Server Web". Usually the
only reason to set this value is to use different resource control rules for different Web listeners.
- realm
- Sets the HTTP Realm string for Basic Authentication. The default is "MF Communications Server for region
server", where
server is the name of the
Enterprise Server instance.
For more information on configuring Web security, particularly authentication, see the topic
Deployment Listeners.