Function accesses

XINS includes a way to set some permissions for the functions using ACLs and also a way to disable/enable a function.

ACLs

The ACLs are used to restrict the access of a function based on the IP address from where the request comes.

The ACLs are defined in the xins.properties file with the org.xins.server.acl property

The value is a dot comma separated list of the keywords allow or deny, the IP addresses specified as ACL allowed or denied to access the function and the name of the function or * used for all functions.

An ACL is an IP address followed by / and the number of bits that should remains the same. For example 192.168.0.0/24 defines all IP addresses starting with 192.168.0.

Example:

org.xins.server.acl=allow 127.0.0.1 *; \
                    allow 192.168.0.0/24 MyFunction

Per default, if an IP address is not specified in the list then the access is denied. If an IP address is specified twice then the first rule will apply. If you specify /0 after an IP address then all IP address will match.

Example:

org.xins.server.acl=allow 127.0.0.1 *; \
                    deny 192.168.0.21 _GetSettings; \
                    allow 192.168.0.21 _*; \
                    allow 192.168.2.0/24 _*; \
                    allow 0.0.0.0/0 _GetVersion; \
                    allow 192.168.0.0/24 MyFunction

In this example, IP addresses starting with 192.168.0. will be able to access MyFunction, the IP address 192.168.0.21. will also be able to access the meta functions except the _GetSettings meta function. All IP addresses starting with 192.168.2. will be able to access the meta functions. Everybody will be able to access the _GetVersion meta function.

Since XINS 1.1.0, the keyword file is also accepted with as second argument the location of the file containing the permissions. The specified file should be of a special format. The lines should start with allow, deny or file. If the line start with allow or deny it should be followed by the ACL and the function as shown in the previous example. If the line starts with file, it should be followed by the location of another acl premission file. Empty lines, lines containing only spaces and lines starting with # are ignored. The ACL files will be monitored for changes every org.xins.server.config.reload seconds and will be reloaded when the meta function _ReloadProperties is invoked.

Example:

org.xins.server.acl=allow 194.134.168.0/24 _*;\
                    file /usr/conf/myApp.acl

myApp.acl:

allow 194.134.168.0/24 *
deny 194.134.32.0/24 _*
allow 194.134.32.0/24 *

# comment...
allow 212.129.129.120 GetKey

Since XINS 2.1, it is possible to allow or deny a call based on the calling convention used. To do it add after the name or the pattern of the function, the name or the regular expression pattern of the calling convention you want to allow or deny.

For example:

org.xins.server.acl=allow 194.134.168.0/24 _* _xins-std|_xins-xslt;\
                    deny 0.0.0.0/0 _*;\
                    deny 0.0.0.0/0 * _xins-soap
allows the meta functions to be called only using the _xins-std or _xins-xslt calling conventions for the given IP range and denies any call using the _xins-soap calling convention.

Enable/Disable a function

It's also possible to enable or disable a function. By default all functions are enabled.

To disable a function, request the following URL: http://API_PATH?_function=_DisableFunction&functionName=MyFunction

To re-enable the function, request the URL: http://API_PATH?_function=_EnableFunction&functionName=MyFunction

The links to enable or disable a function are provided on the test form generated with the specification documentation.

HTTPS

It's also possible to use HTTPS as communication layer to call a XINS API. To do it, you just need to configure the HTTP server (such as Apache) or the servlet container (such as Tomcat) with the correct settings.

For more information on setting up the server, read the following articles:

Note that HTTPS is a supported protocol on the client side only since XINS 1.3.0.