Web Access

Under:

STAR web organization at BNL

  • The STAR home page URL is http://www.star.bnl.gov/ . All pages from the root directory is strictly reserved to the webmaster. Several user contents are into sub-trees explained below.
  • http://www.star.bnl.gov/STAR/ will (since 2007) redirect you into the Drupal Content Management System (CMS) for STAR. This page is in STAR's Drupal CMS and the base URL should appear as http://drupal.star.bnl.gov/STAR/. Note that both www.star and drupal.star are equivalent for the path STAR/.
    • Drupal attachments menu are no visible by the public (however, the document may be accessible to those having the direct link)
    • Comments added to the Drupal site are not visible by non-authenticated users
  • URLs of form http://www.star.bnl.gov/public/* or http://www.star.bnl.gov/protected/* map respectively to the physical locations
    Those areas are reserved for PWG related documents and information. The space is limited so, do not use it as an archival space.
    • /afs/rhic.bnl.gov/star/doc_public/www/*
    • /afs/rhic.bnl.gov/star/doc_protected/www/*
  • The STAR computing home page URL is http://drupal.star.bnl.gov/STAR/comp/
  • ANY path containing the word "protected" will see the Web server ask for the protected pasword. ATTENTON: the word as a parameter of a cgi does NOT trigger requiring a password
    • See for example https://www.star.bnl.gov/~jeromel/test/protected/

  • When writing HTML, relative URLs (i.e. without http://hostname) of the form 'comp/xxx/yyy.html' (computing web) or 'public/comp/xxx/yyy.html' (general web) should be used such that mirroring of the web on other servers will work.
    • Example of URL and location for a typical web directory, SOFI:
      URL: http://www.star.bnl.gov/public/comp/train/
      Physical location: /afs/rhic.bnl.gov/star/doc_public/www/comp/train/
  • ACLs control access to AFS web areas. If you need (or think you might ever need) write access to a web area, just ask. See ACL info link below.
  • There are STAR logos and other images in the images directory.

Personal Webpages and CGI access

Each STAR users should have a personal web area on the RHIC/STAR cluster, starting from the physical location and directory /afs/rhic.bnl.gov/star/users/$YOURUSERNAME/WWW . Since 2007 onward, you should NOT have administrative ACLs on this area. However, the area MUST have the following ACLs set for the Web server account tto be able to access your files:

  • The top directory /afs/rhic.bnl.gov/star/users/$YOURUSERNAME should have "rl" ACL for starweb
  • The Web startup directory /afs/rhic.bnl.gov/star/users/$YOURUSERNAME/WWW should also have the "rl" ACL for starweb
  • Nothing else is needed
  • Note that the rule related to path containing the word "protected" also applies to private area

Important Note / precision

  • /afs/rhic.bnl.gov/star/users/$YOURUSERNAME/WWW should itself be readable by starweb account as showed in the previous bullet.
  • the starweb account is NOT part of the "STAR" group. Explicit ACL to "rl" need to be set as instructed.
  • ATTENTION: Although you should no longer have privileges to do so, you should NEVER set or reset the starweb account ACLs to values different
    than "rl" as instructed.
    Setting / resetting ACL for the special account system:anyuser has DIRE consequences and will be considered PROHIBITED.
    You should especially NEVER grant write access by those account to ANY area without prior notice and explicit approval.

Your personal pages will be accessible as http://www.star.bnl.gov/~yourusername/.  If not, please send a note to starsofi Hypernews confirming and specifying you have followed the instructions above. In some instances, old ACLs get cached on the Web server side and your page may not be displayable before a service restart (AFS) is issued. For more information on setting ACLs in AFS, please consult the Guide to AFS and ACLs page.

Running CGIs

Running CGIs on the STAR Web servers need to follow the below guidance and regulations:

  • By default, all CGIs will (and MUST) be protected of access using the "protected" password or other (stronger) method of authentication.
  • Any deviation and need for public access requires a review of the CGI by experts.
    • The de-facto assumption will always be that CGIs must be protected - if a review cannot happen, the default assumption will be in effect.
    • CGIs with read-only access and of general (outside STAR) interest are candidates for an exemption.
    • CGIs having write access to files or database (hence subject to injection attacks) require special attention. You should always consider the question "can I write this CGI differently". For example:
      • pre-generation of results (write) from a different account than starweb could be used as an example of privilege separation.
      • two stage (two accounts) database access could be used to write and read
      • ...
    • After a review, a frozen version of the CGI will be put in place
    • The area or database the CGI writes to should be documented.
    •  File access: ANY area in AFS having write access ACL for starweb but un-documented will see the ACLs removed (for both starweb and the administrator of the area) without prior notice.
  • STAR provides standard CGIs for general use
    • Use them
    • DO not make and use private copies - send your changes and improvements to the developers if needed
  • Virtually hosted site should comply with the guidance and rules described herein.

More information

More information is available below providing you are authenticated.