The default user manager is configured via the file hermesftp-users.xml. This XML file contains the information about all ftp user groups, their resource consumption limits and permissions granted on data folders. It contains also a list of all users known to the system.
Users of the same group share similar permissions and resource consumption limits.
Each resource consumption limit has a name and a corresponding value (see code snippet). Currently, there are four limits supported:
Each group contains a list of privileges granted on ftp data folders. You may use ANT style file patterns to specify the folder(s) that underdo the security constraints. More information about these patterns is available here. There are two placeholders that may be used in path names: ${ftproot} points to the ftp root folder. It corresponds to the option ftp.root.dir in the application context file hermesftp-ctx.xml. The expression ${user} is replaced by the user name. A permission level is assigned to each of the path patterns:
<groups> <group name="users" > <limits> <limit name="Bytes downloaded" value="1000000"/> <limit name="Bytes uploaded" value="1000000"/> <limit name="Files downloaded" value="100"/> <limit name="Files uploaded" value="100"/> <limit name="Download rate" value="-1"/> <limit name="Upload rate" value="-1"/> </limits> <permissions> <permission flag="rw" path="${ftproot}/${user}/**"/> <permission flag="rw" path="${ftproot}/${user}"/> <permission flag="r" path="${ftproot}"/> </permissions> </group> ... </groups>
For sake of security you should configure at least two groups: Users (with restricted data access permissions) and administrators (with full access permissions).
Only users that are known to the application are granted access to data folders. A user is configured along with his/her login name, fullname, and password. Each of the users may be a member of several groups.
The user's password can be configured in plain text or as hashcode calculated by an supported hash algorithm (e.g. MD5). The name of the algorithm is prepended to a BASE64 encoded string, e.g. "{MD5}Cwz8B/yoHJVquRgdhXb0qA==". If the password does not start with a curly brace, it is handled as plain text. Since Hermes FTP servers comes without GUI, the password hash is generated from the command line as follows:
java -jar hermesftp-<version>.jar -password <secretpassword> <algorithm>
c:\develop>java -jar hermesftp-0.2.jar -password sec MD5 Hash: {MD5}dEWco8+FqB35Dalf9ueiBw== c:\develop>
The following code snippet demonstrates a typical user configuration:
<users default-dir="${ftproot}/${user}"> <user uid="user" fullname="Test User" password="user"> <group-ref name="users"/> </user> <user uid="admin" fullname="Administrator" adminrole="true" password="{MD5}dEWco8+FqB35Dalf9ueiBw=="> <group-ref name="users"/> <group-ref name="administrators"/> </user> </users>
You may omit the password to enable anonymous login. Anonymous users must provide an email address as password.