Configuring the realm database

A realm is a database containing users and their roles (sets of permissions to access server-resources). A realm also manages user-passwords and the user's server-resources access rights. The access rights are divided into one or more security constraints. In other words, you can limit the access rights to your users such that they cannot work outside their defined realm. The security constraints are created and configured with the Constraints Editor. The figure below shows the Users Editor to the left and the Constraints Editor to the right. You use the Constraints Editor to set permission rules for the users. You use the Users Editor to add, change, and remove users.

The Constraints Editor sets permissions for roles and not directly for the user. A user can be in one or several roles. An example of a role can be "friends". You can set up a permission rule for your friends such that they are limited to read and write to one directory such as "c:\friends".

The Constraints Editor and Users Editor:

  1. User/constraint editor button. Toggle between the Users Editor and the Constraints Editor.
  2. Revert button. Fetches data from the server, reverting any changes made to the data in the client.
  3. Save button. Send the data to the server. The server saves the data as an XML file on your hard drive and reconfigures the realm manager.
  4. New button. Clears the input elements to the right. Used when adding a new constraint or user.
  5. Delete button. Deletes the currently selected element.
  6. Set button. The set button must be pressed after any changes are made to the input elements. The set button saves the data in the data representation inside the DHTML interface, but does not send the data to the server.
  7. The currently selected element. An element is selected from the list by clicking on the element with the mouse.
A user object consists of the following:

The user is granted access to the provided URL-pattern if the requested URL-pattern and the HTTP method type match one of the security constraints stored in the security constraint database. The BarracudaDrive Web File Manager uses two HTTP method types: HTTP GET and HTTP POST.

GET gives the authenticated user access to read the resources that matches one of the security constraints.

POST gives the authenticated user access to write (upload) files, create new directories and delete files.

A constraint consists of the following:

A URL-pattern is the relative path element at the position from where the Web File Manager starts, which is /drive/. For example a constraint URL-pattern '/users/*' matches http://localhost/drive/users/thomas?cmd=ls.

A URL-pattern specifies one resource or a collection of resources. A URL-pattern specifying one resource is for example: '/users/public.html'. A collection of resources is specified with a wildcard at the end of the URL-pattern; for example, '/users /*' specifies all resources in the 'users' folder. One can have multiple constraints with the same wildcard URL-pattern, but a URL-pattern specifying one resource can not be in multiple constraints.

A constraint can either give access or deny access to a specific resource or resource collection. A longer URL-pattern takes precedence over a shorter URL-pattern.

Example

The BarracudaDrive Web File Manager is by default setup such that the realm only contains one user, the administrator. In this example we will add two users, 'thomas' and 'james', that are allowed to read from the 'c:\users' directory. The user, 'thomas', is allowed to write to the 'thomas' subdirectory, and 'james' is allowed to write to the 'james' subdirectory. The two users are not allowed to read from or write to any other directory on the hard drive, including the root directory.

You have the option of downloading a ready configured database for this example or create the database as described below.

Open the "Users Editor" and add the following: Name: thomas Password: whatever Roles: thomas users Press the set button and add the following: Name: james Password: whatever Roles: james users Press the set button and the save button. Switch to the "Constraints Editor" by pressing the button. Add the following: Name: users URL's: /users/* /users/thomas/* /users/james/* Roles: users Methods: GET Press the set button and add the following: Name: thomas URL's: /users/thomas/* Roles: users Methods: POST Press the set button and add the following: Name: james URL's: /users/james /* Roles: users Methods: POST Press the set button and the save button.

You have now completed the user configuration. The two users and the constraints are added to the user and constraints database in the BarracudaDrive Web File Manager.

You now need to create the following directories on your hard drive:

We have setup the constraints such that 'james' and 'thomas' have read permission in the 'users' directory and read access in all subdirectories of the other users. For example, 'james' can read, but not write to any of the files in thomas's directory. The constraint applies to any sub directory in the 'thomas' directory, so if 'thomas' creates N directories inside the 'thomas' directory, 'james' can read all of them.

An interesting effect of our constraint configuration is that no one has write access to the 'users' directory, including the administrator. The administrator account is setup to be part of all roles, but no role is configured to have write permission to the 'users' directory or any other sub-directory inside the 'users' directory except for the 'thomas' and 'james' directory.

We suggest you logout as administrator and login as one on the new users. Please note that you cannot use the root URL http://localhost/drive/?cmd=ls when logged in as one of the new users as they do not have permission to read from any other directory branch than the c:\users directory. For example, login as james, and enter the url: http://localhost/drive/users/?cmd=ls in the browser.