📄 index.xtp
字号:
<document><header><product>resin</product><version>Resin 3.0</version><type>tutorial</type><title>Basic Security and Resin's XmlAuthenticator</title><description><p>This tutorial covers the basics of JSP andServlet security and the use of Resin's XmlAuthenticator.</p></description><tutorial-startpage>index.jsp</tutorial-startpage><keywords><keyword>XmlAuthenticator</keyword><keyword>com.caucho.http.security.XmlAuthenticator</keyword><keyword>authenticator</keyword><keyword>security</keyword><keyword>basic</keyword></keywords></header><body><summary/><s1 title="Files in this example"><deftable><tr> <th>File</th> <th>Description</th></tr><tr> <td><viewfile-link file="WEB-INF/web.xml"/></td> <td>The main JSP/Servlet configuration file</td></tr><tr> <td><viewfile-link file="index.jsp"/></td> <td>The home page for the website</td></tr><tr> <td><viewfile-link file="login.jsp"/></td> <td>The JSP page containing the login form</td></tr><tr> <td><viewfile-link file="logout.jsp"/></td> <td>A JSP page that causes a logout</td></tr><tr> <td><viewfile-link file="home.jsp"/></td> <td>The home page for authenticated users.</td></tr><tr> <td><viewfile-link file="professors/index.jsp"/></td> <td>The more specific home page for Professor's, available only to users in role 'professor'</td></tr><tr> <td><viewfile-link file="students/index.jsp"/></td> <td>The more specific home page for Student's, available to users in role 'student' or in role 'professor'</td></tr><tr> <td><viewfile-link file="staff/index.jsp"/></td> <td>The more specific home page for Staff, available to users in role 'staff' or in role 'professor'</td></tr><tr> <td><viewfile-link file="inc/buttonbar.jspf"/></td> <td>An include file to render a button bar</td></tr><tr> <td><viewfile-link file="inc/footer.jspf"/></td> <td>An include file to render a footer</td></tr><tr> <td><viewfile-link file="inc/nobrowsercache.jspf"/></td> <td>An include file to stop the browser from caching pages</td></tr></deftable></s1> <s1 title="Specifying roles"><p>Each user belongs to one or more <var>roles</var>. These roles aresimilar to groups in Unix. The possible roles are specifiedin <code>web.xml</code>.</p><p>In this example, a user is either a <var>professor</var>, a<var>student</var>, or a <var>staff</var>. They can also optionallyhave an additional role of <var>gryffindor</var>,<var>slytherin</var>, <var>hufflepuf</var>, or <var>ravenclaw</var>,indicating which house they belong to (or none at all).</p> <example><security-role> <role-name>professor</role-name></security-role></example> </s1> <s1 title="Specifying secure areas"><p>You can limit areas of the website to users in a certain<var>role</var>. You specify url patterns in <code>web.xml</code> and the rolethat is required. In JSP/Servlet terminology, this is called <var>Declarative Security</var>.</p> <example title="Declarative Security in web.xml"><security-constraint> <web-resource-collection> <web-resource-name>Professors</web-resource-name> <url-pattern>/professors/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>professor</role-name> </auth-constraint></security-constraint></example></s1> <s1 title="Making a login form"><p>A login form can be used to retrieve the username and passwordfrom the user. The same form or a seperate form can be usedwhen the login fails.</p><p></p><p>In this example the login form and the error form are in thesame JSP file. If the form is being redisplayed because of anerror the <code>login_error</code> request parameter is set to '1'.</p> <example title="login-config: Getting Resin to use the login form"><login-config> <auth-method>form</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login.jsp?login_error=1</form-error-page> </form-login-config> ...</login-config></example><example title="An example login form"><form action='j_security_check' method='POST'> <table> <tr><td>User:</td><td><input type='text' name='j_username'></td></tr> <tr><td>Password:</td><td><input type='password' name='j_password'></td></tr> <tr><td colspan='2'><input type=submit></td></tr> </table> <!-- - In case the user got here without a session, redirect - successful requests to the home page for authenticated - users. (This is a non-standard, but useful field.) --> <input type='hidden' name='j_uri' value='/home.jsp'/></form></example></s1> <s1 title="Causing a login to occur"><p>Resin will cause a login to occur when a url that points toa secure area is used. You do not make a url directly to thejsp page that contains the login form.</p><p>In this example, <code>home.jsp</code> is in a secure area, so anunauthenticated user trying to access it will first bepresented with the login form.</p><example title="Accessing a jsp in a secure area causes the login to occur"><security-constraint> <web-resource-collection> <web-resource-name>Home</web-resource-name> <url-pattern>/home.jsp</url-pattern> </web-resource-collection> <auth-constraint> <!-- '*' for a <role-name> means "authenticated user with any role" The user must be logged in with some kind of role to access the home page. --> <role-name>*</role-name> </auth-constraint></security-constraint></example><example title="Making a link to cause a login"><a href="<c:url value='/home.jsp'/>">login</a></example></s1> <s1 title="Determining if the user is authenticated"> <p>If the user has done a successfull login, we say that theyhave been <var>authenticated</var>.<code>request.getUserPrincipal()</code> returns <code>null</code> if the user has not been authenticated.</p><p></p><p>In this example it is used to determine whether a 'login' or a'logout' link should be presented.</p><example title="Determining if the user is authenticated"><c:choose> <c:when test="${empty pageContext.request.userPrincipal}"> <a href="<c:url value='home.jsp'/>">login</a> </c:when> <c:otherwise> <a href="<c:url value='logout.jsp'/>">logout</a> </c:otherwise></c:choose></example></s1> <s1 title="Getting the current username"> <example title="Getting the current username">Welcome <c:out value="${pageContext.request.remoteUser}"/>.</example></s1> <s1 title="Doing different things for different roles"><p>You can also determine if a user is in a certain role in thebody of the page using <code>request.isUserInRole("role")</code>.In JSP/Servlet terminology, this is called<var>Programmatic Security</var>.</p><p>In this example, the <code>home.jsp</code> redirects the user to amore specific home page if the user is a <var>professor</var>,<var>student</var>, or <var>staff</var>.</p><example title="Programmatic Security using Java code"><% /** redirect to a more specific homepage if one is available */ String home_url = null; if (request.isUserInRole("professor")) { home_url = "professors/"; } else if (request.isUserInRole("staff")) { home_url = "staff/"; } else if (request.isUserInRole("student")) { home_url = "students/"; } if (home_url != null) { home_url = response.encodeRedirectUrl(home_url); response.sendRedirect(home_url); return; // don't do any more of the page }%></example></s1><s1 title="Stop the browser from caching pages"> <p>Pages with information that changes depending on whether ornot there is a known user should not be cached by thebrowser.</p><p>In this example an include file <code>inc/nobrowsercache.jspf</code>is used to send the HTTP headers that stop the browser fromcaching the page. It is used for each page that shows thebutton bar at the top, because the button bar changesdepending on whether or not the user is logged in.</p> <example title="Java code to stop the browser from caching the page"><%-- stop the browser from caching the page --%><% response.setHeader("Cache-Control","no-cache,post-check=0,pre-check=0"); response.setHeader("Pragma","no-cache"); response.setHeader("Expires","Thu,01Dec199416:00:00GMT");%></example><example title="Using inc/nobrowsercache.jsp"><%@ include file="/inc/nobrowsercache.jspf" %></example></s1> <s1 title="Causing a logout"><p>A user can be logged out by invalidating the session. Thiscauses all of the information stored in the session to belost. It is especially important to make sure that thelogout page is not cached by the browser.</p> <example title="Causing a logout with session.invalidate()"><%@ include file="/inc/nobrowsercache.jspf" %><%-- invalidating the session causes a loss of all session information, including the identity of the user --%><% session.invalidate(); %></example></s1><s1 title="Using XmlAuthenticator"><p>Resin provides an authenticator<a href="javadoc|com.caucho.http.security.XmlAuthenticator|"/> which isuseful for sites which have minimal security requirements.The developer places entries for users in the authenticatorconfiguration, or in an xml file, or both.</p> <p>The example below uses digest passwords. Digest passwords avoid the storage of passwords in cleartext, and are discussed under the security section of the Resin documentation.</p><example title="Specifying the XmlAuthenticator as the authenticator to use"><web-app xmlns="http://caucho.com/ns/resin"> <!-- Resin-specific XmlAuthenticator configuration --> <authenticator uri="xml:"> <init> <!-- Optionally put user information here. --> <user>pince:Txpd1jQc/xwhISIqodEjfw==:staff,website</user> <user>filch:KmZIq2RKXAHV4BaoNHfupQ==:staff</user> <!-- You can also use an external file --> <path>WEB-INF/password.xml</path> </init> </authenticator> </web-app></example><example title="An XML file with usernames, passwords, and roles"><!-- password.xml --><authenticator> <!-- professors --> <user name='snape' password='I7HdZr7CTM6hZLlSd2o+CA==' roles='professor,slytherin'/> <user name='mcgonagall' password='4slsTREVeTo0sv5hGkZWag==' roles='professor,gryffindor'/> <!-- students --> <user name='harry' password='uTOZTGaB6pooMDvqvl2Lbg==' roles='student,gryffindor'/> <user name='dmalfoy' password='yI2uN1l97Rv5E6mdRnDFwQ==' roles='student,slytherin'/> <!-- alumni --> <user name='lmalfoy' password='sj/yhtU1h4LZPw7/Uy9IVA==' roles='alumni,gryffindor'/></authenticator></example></s1></body></document>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -