XINS includes a way to set some permissions for the functions using ACLs and also a way to disable/enable a function.
The ACLs are used to restrict the access of a function based on the IP address from where the request comes.
The ACLs are defined in the xins.properties
file with the org.xins.server.acl property
The value is a dot comma separated list of the keywords
allow
or deny
, the IP addresses
specified as ACL allowed or denied to access the function and the name
of the function or * used for all functions.
An ACL is an IP address followed by / and the number of bits that
should remains the same. For example 192.168.0.0/24
defines all IP addresses starting with
192.168.0.
Example:
org.xins.server.acl=allow 127.0.0.1 *; \ allow 192.168.0.0/24 MyFunction
Per default, if an IP address is not specified in the list then
the access is denied. If an IP address is specified twice then the first
rule will apply. If you specify /0
after an IP
address then all IP address will match.
Example:
org.xins.server.acl=allow 127.0.0.1 *; \ deny 192.168.0.21 _GetSettings; \ allow 192.168.0.21 _*; \ allow 192.168.2.0/24 _*; \ allow 0.0.0.0/0 _GetVersion; \ allow 192.168.0.0/24 MyFunction
In this example, IP addresses starting with 192.168.0. will be
able to access MyFunction
, the IP address
192.168.0.21. will also be able to access the meta functions except the
_GetSettings
meta function. All IP addresses
starting with 192.168.2. will be able to access the meta functions.
Everybody will be able to access the _GetVersion
meta function.
Since XINS 1.1.0, the keyword file
is also
accepted with as second argument the location of the file containing the
permissions. The specified file should be of a special format. The lines
should start with allow, deny or file. If the line start with allow or
deny it should be followed by the ACL and the function as shown in the
previous example. If the line starts with file, it should be followed by
the location of another acl premission file. Empty lines, lines
containing only spaces and lines starting with # are ignored. The ACL
files will be monitored for changes every
org.xins.server.config.reload
seconds and will be
reloaded when the meta function _ReloadProperties
is
invoked.
Example:
org.xins.server.acl=allow 194.134.168.0/24 _*;\ file /usr/conf/myApp.acl
myApp.acl
:
allow 194.134.168.0/24 * deny 194.134.32.0/24 _* allow 194.134.32.0/24 * # comment... allow 212.129.129.120 GetKey
Since XINS 2.1, it is possible to allow or deny a call based on the calling convention used. To do it add after the name or the pattern of the function, the name or the regular expression pattern of the calling convention you want to allow or deny.
For example:
org.xins.server.acl=allow 194.134.168.0/24 _* _xins-std|_xins-xslt;\ deny 0.0.0.0/0 _*;\ deny 0.0.0.0/0 * _xins-soap
allows the meta functions to be called only using the _xins-std or _xins-xslt calling conventions for the given IP range and denies any call using the _xins-soap calling convention.
It's also possible to enable or disable a function. By default all functions are enabled.
To disable a function, request the following URL:
http://API_PATH?_function=_DisableFunction&functionName=MyFunction
To re-enable the function, request the URL:
http://API_PATH?_function=_EnableFunction&functionName=MyFunction
The links to enable or disable a function are provided on the test form generated with the specification documentation.
It's also possible to use HTTPS as communication layer to call a XINS API. To do it, you just need to configure the HTTP server (such as Apache) or the servlet container (such as Tomcat) with the correct settings.
For more information on setting up the server, read the following articles:
Note that HTTPS is a supported protocol on the client side only since XINS 1.3.0.