resin-security.xtp

RESIN 3.2 最新源码

<document>
<header>
  <product>resin</product>
  <title>Resin Security</title>
  <description>
  </description>
</header>

<body>

<localtoc/>

<s1 title="Quick Start">

<p>The following sample shows how to protect a section of a web-site
with a password, using a login form.</p>

<example title="WEB-INF/resin-web.xml - Simple Password Protection">
&lt;web-app xmlns="http://caucho.com/ns/resin">

  &lt;security-constraint url-pattern="/secure/*">
    &lt;auth-constraint role-name="*"/>

    &lt;login uri="form:login-page=/login.jsp"/>
  &lt;/security-constraint>

  &lt;authenticator uri="properties:password-digest=none">
     &lt;init>
       harry=quidditch,user
     &lt;/init>
  &lt;/authenticator>

&lt;/web-app>
</example>

<ul>
<li>&lt;security-constraint> protects a section of the web-app, i.e.
providing an authorization context.</li>
<li>&lt;url-pattern> matches the URLs to be protected</li>
<li>&lt;auth-constraint> protects the web-app through login (as opposed to
by IP address or by SSL)</li>
<li>&lt;login> specifies the login method</li>
<li>&lt;authenticator> defines the login users and passwords.
The "properties:" authenticator specifies a simple .properties file user definition.</li>
<li>password-digest=none disables the default MD5-digest for the
passwords.  Only recommended for examples.</li>
</ul>

</s1>

<s1 title="Management">

<p>Since all Resin users will want to protect
the <code>/resin-admin</code> pages with an administration password,
and protect any clustered management and deployment, Resin's top-level
&lt;management> tag includes a static, XML-based authentication context.
The authenticator is automatically shared for all hosts and web-apps, so
simple sites can even use this authenticator configuration for their
site-wide authentication.</p>

<example title="resin.xml">
&lt;resin xmlns="http://caucho.com/ns/resin">

  &lt;management">
     &lt;user name="admin" password="MD5HASH=="/>

     ...
  &lt;/management>

  ...

&lt;/resin>
</example>

<p>The password is a hash of the user name, password, and the "resin"
realm.  The <code>/resin-admin</code> page includes a form to easily generate
the MD5 hash.  You can also use the
<a href="http://caucho.com/resin-javadoc/com/caucho/server/security/PasswordDigest.html">PasswordDigest</a> class to generate the digest
programmatically.</p>

</s1>

<s1 title="Authentication">

<p>Resin provides a basic set of authenticators covering the most
common cases.  Applications which need custom authenticators can easily
write their own extensions, described below.</p>

<s2 title="properties: - properties authentication">

<example title="WEB-INF/resin-web.xml - inline properties">
&lt;web-app xmlns="http://caucho.com/ns/resin">

  &lt;authenticator uri="properties:password-digest=none">
     &lt;init>
       harry=quidditch,user,admin
       draco=mudblood,disabled,user
     &lt;/init>
  &lt;/authenticator>

&lt;/web-app>
</example>

<example title="WEB-INF/resin-web.xml - file property">
&lt;web-app xmlns="http://caucho.com/ns/resin">

  &lt;authenticator uri="properties:path=WEB-INF/users.properties"/>

&lt;/web-app>
</example>
<example title="WEB-INF/users.properties">
harry=MD5HASH==,user,admin
</example>

</s2>

<s2 title="xml: - xml authentication">

<example title="WEB-INF/resin-web.xml - inline xml">
&lt;web-app xmlns="http://caucho.com/ns/resin">

  &lt;authenticator uri="properties:password-digest=none">
     &lt;init>
       &lt;user name="harry" password="quidditch"/>
     &lt;/init>
  &lt;/authenticator>

&lt;/web-app>
</example>

<example title="WEB-INF/resin-web.xml - file xml">
&lt;web-app xmlns="http://caucho.com/ns/resin">

  &lt;authenticator uri="properties:path=WEB-INF/users.xml"/>

&lt;/web-app>
</example>

<example title="WEB-INF/users.xml">
&lt;users>
  &lt;user name="harry password="MD5HASH==" roles="user,admin"/>
&lt;users>
</example>

</s2>

<s2 title="custom authentication">

<example title="WEB-INF/resin-web.xml - custom">
&lt;web-app xmlns="http://caucho.com/ns/resin">

  &lt;authenticator class="com.foo.MyAuthenticator">
    &lt;init>
      &lt;foo>bar&lt;/foo>
    &lt;/init>
  &lt;/authenticator>

&lt;/web-app>
</example>

<example title="MyAuthenticator.java">
package com.foo;

import com.caucho.server.security;

public class MyAuthenticator extends AbstractPasswordAuthenticator {
  private PasswordUser _user;

  public MyAuthenticator()
  {
    _user = new PasswordUser("harry", "quidditch",
                             new String[] { "user" });
  }
192
  public PasswordUser getUser(String userName)
  {
    if (userName.equals(_user.getName()))
      return _user;
    else
      return null;
  }
}
</example>

<p>It's also possible to register your custom authenticatr with Resin's
uri-based configuration.  You'll add a file in the 
<code>META-INF/services/com.caucho.config.uri</code> named
<code>com.caucho.server.security.ServletAuthenticator</code> in the
.jar file with the following contents:</p>

<example title="com.caucho.server.security.ServletAuthenticator">
foo.my=com.foo.MyAuthenticator
</example>

</s2>

<s2 title="Quick Start">
<p>The easiest authenticator to understand is the 
<a href="#XmlAuthenticator">XmlAuthenticator</a>.
It lets you put users and passwords directly in the configuration
file.  The following example uses "Basic" authentication for login.
Basic authentication asks the browser to pop open a window prompting
for a username and password.  (Basic authentication is discouraged
because it is not secure unless you use it with SSL, but it's the
easiest example.)  The only user defined here is "Harry Potter" and
he has the password "quidditch".  He also plays the
"user" role.</p>

<example title="Using the XmlAuthenticator">
&lt;web-app xmlns="http://caucho.com/ns/resin"&gt;

  ...

  &lt;authenticator type="com.caucho.server.security.XmlAuthenticator"&gt;
    &lt;init&gt;
      &lt;user&gt;Harry Potter:quidditch:user&lt;/user&gt;
      &lt;password-digest&gt;none&lt;/password-digest&gt;
    &lt;/init&gt;
  &lt;/authenticator&gt;

  &lt;login-config auth-method="basic"/&gt;

  &lt;security-constraint url-pattern="/users-only/*" role-name="user"/&gt;

  ...

&lt;/web-app&gt;
</example>

<p>In the above example, the &lt;security-constraint&gt; checks
for authorization.  Only users playing the "user" role can access
the /users-only directory.</p>

<p>Another often used authenticator is the 
<a href="#JdbcAuthenticator">JdbcAuthenticator</a>, 
which uses usernames, passwords, and roles stored in a database.</p>

<example>
&lt;web-app xmlns="http://caucho.com/ns/resin"&gt;

  ...

  &lt;!-- Resin-specific JdbcAuthenticator --&gt;
  &lt;authenticator type='com.caucho.server.security.JdbcAuthenticator'&gt;
    &lt;init&gt;
      &lt;data-source&gt;test&lt;/data-source&gt;
      &lt;password-query&gt;
        SELECT password FROM LOGIN WHERE username=?
      &lt;/password-query&gt;
      &lt;cookie-auth-query&gt;
        SELECT username FROM LOGIN WHERE cookie=?
      &lt;/cookie-auth-query&gt;
      &lt;cookie-auth-update&gt;
        UPDATE LOGIN SET cookie=? WHERE username=?
      &lt;/cookie-auth-update&gt;
      &lt;role-query&gt;
        SELECT role FROM LOGIN WHERE username=?
      &lt;/role-query&gt;
    &lt;/init&gt;
  &lt;/authenticator&gt;

  &lt;login-config auth-method='basic'/&gt;

  &lt;security-constraint url-pattern='/users-only/*' role-name='user'/&gt;

  ...

&lt;/web-app&gt;
</example>

</s2>

<s2 title="login-config" type="defun">

<p>Configures the login class.  The <a href="webapp-tags.xtp#login-config">web.xml configuration</a> describes the
configuration in more detail.</p>

<p>The login can be customized by selecting the <code>com.caucho.server.security.AbstractLogin</code>.  The <var>type</var> attribute will select that
class. More sophisticated applications may want to add their own custom
AbstractLogin class to replace the predefined values.</p>

<p>Typically a custom login would only be necessary if the application
needed a custom way of extracting credentials from the request.</p>

</s2>

<s2 title="auth-method" type="defun">
<p>Selects the authentication method.</p>

<deftable title="auth-method values">
<tr><th>auth-method</th><th>Meaning
</th></tr><tr><td>basic</td><td>HTTP Basic authentication
</td></tr><tr><td>digest</td><td>HTTP Digest authentication
</td></tr><tr><td>form</td><td>Form-based authentication
</td></tr></deftable>

</s2>

<s2 title="form-login-config" type="defun">
<p>Configures authentication for forms.  The login form has
specific parameters that the servlet engine's login form processing
understands.  If the login succeeds, the user will see the original
page.  If it fails, she will see the error page.</p>

<deftable>
<tr><td>form-login-page</td><td>The page to be used to prompt the user login</td><td>none
</td></tr><tr><td>form-error-page</td><td>The error page for unsuccessful login</td><td>none
</td></tr><tr><td>internal-forward</td><td>Use an internal redirect on success or a sendRedirect</td><td>false
</td></tr><tr><td>form-uri-priority</td><td>If true, the form's j_uri will override a stored URI</td><td>false
</td></tr></deftable>

<p>The form itself must have the action <var>j_security_check</var>.  It
must also have the parameters <var>j_username</var> and <var>j_password</var>.
Optionally, it can also have <var>j_uri</var> and
<var>j_use_cookie_auth</var>.  <var>j_uri</var> gives the next page to display
when login succeeds.  <var>j_use_cookie_auth</var> allows Resin to send a
persistent cookie to the user to make following login easier.
</p>

<p><var>j_use_cookie_auth</var> gives control to the user whether to generate
a persistent cookie.  It lets you implement the "remember me" button.  By
default, the authentication only lasts for a single session.
</p>

<deftable title="j_security_check Parameters">
<tr><th>Parameter</th><th>Meaning)
</th></tr><tr><td>j_username</td><td>The user name
</td></tr><tr><td>j_password</td><td>The password
</td></tr><tr><td>j_uri</td><td>Resin extension for the successful display
page (Optional).
</td></tr><tr><td>j_use_cookie_auth</td><td>Resin extension to allow cookie
login (Optional).
</td></tr></deftable>

<p>The following is an example of a servlet-standard login page:</p>

<example>
&lt;form action='j_security_check' method='POST'&gt;
&lt;table&gt;
&lt;tr&gt;&lt;td&gt;User:&lt;td&gt;&lt;input name='j_username'&gt;
&lt;tr&gt;&lt;td&gt;Password:&lt;td&gt;&lt;input name='j_password'&gt;
&lt;tr&gt;&lt;td colspan=2&gt;hint: the password is 'quidditch'
&lt;tr&gt;&lt;td&gt;&lt;input type=submit&gt;
&lt;/table&gt;
&lt;/form&gt;
</example>

</s2>

<s2 title="authenticator" version="Resin 1.1" type="defun">
<p>Specifies a class to authenticate users.  This Resin-specific
option lets you control your authentication.  You can either create your 
own custom authenticator, or use Resin's JdbcAuthenticator.</p>

<p>The authenticator is responsible for taking the username and
password and returning a UserPrincipal if the username and password match.
</p>

<p>Users wanting to implement an authenticator should look at the JavaDoc
for <a href="javadoc|com.caucho.server.security.ServletAuthenticator|"/>
and <a href="javadoc|com.caucho.server.security.AbstractAuthenticator|"/>.
To protect your application from API changes, you should extend
AbstractAuthenticator rather than implementing Authenticator directly.
</p>
</s2>

<s2 title="XmlAuthenticator" version="Resin 2.0.4">
<p>The XmlAuthenticator (com.caucho.serer.security.XmlAuthenticator),
stores the authentication in either an xml file or in the configuration
itself.</p>

<p>When configuring the XmlAuthenticator in the resin.xml
(or web.xml), each <var>user</var> adds a new configured
user.  The value contains the username, password, and the
roles the user plays.</p>

<example title="XmlAuthenticator in resin.xml">
&lt;authenticator type="com.caucho.server.security.XmlAuthenticator"&gt;
  &lt;init&gt;
    &lt;user&gt;Harry Potter:quidditch:user,gryffindor&lt;/user&gt;