The NullEsm ESM module has no actual External Security Manager. It makes security decisions internally, based on its configuration. By default it does nothing. It is intended primarily for testing, though it may be useful to configure a handful of exceptions for special purposes.
The NullEsm ESM module supports some optional settings in its configuration text area:
If setting is "y" or "yes" (case-insensitive), settings in the [Auth] section are treated as regular expressions rather than literal names.
If setting is "y" or "yes" (case-insensitive), write various messages to the console log about security decisions.
For a Verify (user sign-on) request, if the userid matches user, then set the result based on action.
The action can be:
If the userid is not found in the [Verify] section, or the action is not recognized, the behavior is the same as for unknown.
When an Auth (resource access check) request is received, NullEsm concatenates the resource class and entity names with a slash separator and looks for a matching entry in the [Auth] section. If the Regex setting (see above) is enabled, it treats the entries as regular expressions rather than looking for a literal match. If it finds a matching entry, it sets the result based on action:
Allow this access attempt.
Deny this access attempt.
Log a message to the console about this access attempt. (The Regex mode is particularly useful if trace is used, as it makes it possible to have both an allow/deny entry and a trace entry for a given resource.)