Access Control

The VolanoChat server uses the same powerful access control directives used by popular Web servers such as the Apache HTTP Server. These directives allow you to control precisely who connects to your VolanoChat server and through which Web pages those connections may be made. The server reads its access control information from the file defined by the server.access property, with a default file that looks like this.

Directives

There are three types of directives in the access control file:

order directives,
host access directives, and
referrer access directives.

Comments in the file are preceded by the pound character ("#").

Order Directives

Order directives define the order in which the VolanoChat server evaluates each of the host and referrer access directives. There are three values for the order directive, with meanings as follows.

order deny,allow: The deny directives are evaluated before the allow directives. A host or Web page which does not match either list is granted access. This order makes the deny directives the default, and the allow directives the exceptions.
order allow,deny: The allow directives are evaluated before the deny directives. A host or Web page which does not match either list is granted access. This makes the allow directives the default, and the deny directives the exceptions.
order mutual-failure: You specify precisely which hosts or URLs are allowed or denied. A host or Web page which does not match either list is denied access. A host or Web page is also denied access when it matches both lists.

Host Access Directives

The host access directives let you specify which client host computers or network domains may access your VolanoChat server. Since each person connecting to your server is identified by a unique Internet Protocol (IP) address, this control lets you grant or deny chat access for individual visitors to your Web site.

deny from all: Denies all hosts.
deny from host1 host2 ... hostn: Denies access from hosts with addresses matching those in the list.
allow from all: Allows access from all hosts.
allow from host1 host2 ... hostn: Allows access from hosts with addresses matching those in the list.

where host1 host2 ... hostn is a list of zero or more host addresses in the form of a partial domain name, a full host name, a partial IP address, or a full IP address.

Host names and domain names are compared from right to left, so that ".volano.com" would match all hosts in the volano.com domain, such as "chat.volano.com". Begin partial domain names with a dot (".") so that comparisons will be made against complete components in the host name.

Full and partial IP addresses are compared from left to right, so that "192.168." would match any IP address on that subnetwork, such as "192.168.0.5". End partial IP addresses with a dot (".") so that comparisons will be made against complete components in the IP address.

Important note! Because of a bug in many of the current Java virtual machines, you must specify the host using its numeric IP address instead of the host name in the host access directives of the access control file. The referrer access directives below can still use the normal host name in the URL.

Referrer Access Directives

The referrer access directives let you specify which Web pages may provide an entry point to your VolanoChat server. Since each Web page is identified by a unique Uniform Resource Locator (URL), this control lets you grant or deny chat access through Web pages on your own site or other sites on the Web.

referrer deny from all: Denies all referring Web pages.
referrer deny from url1 url2 ... urln: Denies referring Web pages with addresses matching the URLs in the list.
referrer allow from all: Allows all referring Web pages.
referrer allow from url1 url2 ... urln: Allows referring Web pages with addresses matching the URLs in the list.

where url1 url2 ... urln is a list of zero or more full or partial URL specifications in the form http://hostname/filename (with no port number or anchor reference in the URL). URL comparisons are from left to right, so you must specify full host names or full IP addresses in the URL.

Important note! Because the referrer access control can be rather easily defeated by imposter VolanoChat applets, you should consider using the new room.nodynamic server property if you need to prevent the creation of dynamic chat rooms from other Web sites. The Apache Web server does not support referrer-based access control, and even the older NSCA HTTPd server states that, "Note: This is not perfect. There is nothing to prevent a user from accessing the directory if they are able to modify the Referer: header that is sent with their browser."

Examples

Most VolanoChat customers want to run their VolanoChat server in one of two general Web access modes:

open to the Internet, allowing any Web page to link into the chat server, or
restricted to their own Web site, allowing only Web pages on their own site to link into the chat server.

The first mode brings together a global community of related Web sites, while the second adds chat to the pages of a single Web site.

The host access is usually used either to:

permanently block certain people from accessing the server, or
restrict access to those people connecting from computers in a particular domain, such as a company's employees or the dial-up customers of a particular Internet Service Provider.

To allow anyone to connect through any Web page, put:

order allow,deny
allow from all
referrer allow from all

To allow anyone to connect, but only through your own Web pages, put:

order deny,allow
allow from all
referrer deny from all
referrer allow from http://your-domain/

where your-domain is the name of the host running your Web site, such as www.volano.com, for example.

The example below allows users to connect only from computers in the volano.com and volano.net domains, and allows those connections only through Web pages on Volano's Web sites at http://www.volano.com/ and http://www.volano.net/.

order deny,allow
deny from all
allow from .volano.com
allow from .volano.net
referrer deny from all
referrer allow from http://www.volano.com/
referrer allow from http://www.volano.net/

For the opposite effect, the directives below allow any user except those from volano.com and volano.net to connect, and allow any referring Web page except those pages from Volano's Web sites at http://www.volano.com/ and http://www.volano.net/.

order allow,deny
allow from all
deny from .volano.com
deny from .volano.net
referrer allow from all
referrer deny from http://www.volano.com/
referrer deny from http://www.volano.net/

You may also deny access to specific hosts or specific Web pages, as in the example shown below:

order allow,deny
allow from all
deny from 192.168.0.2
deny from red.volano.com
referrer allow from all
referrer deny from http://www.volano.com/chat.html
referrer deny from http://www.volano.net/chat.html

This example denies access to anyone using the computers with IP addresses 192.168.0.2 or red.volano.com, and denies access to anyone at all trying to connect through the Web pages at http://www.volano.com/chat.html or http://www.volano.net/chat.html.

Check HTML

Table of Contents