Authentication Configuration <http-server> <!-- Resin DBPool for the JdbcAuthenticator --> <resource-ref> <res-ref-name>jdbc/auth</res-ref-name> <res-type>javax.sql.DataSource</res-type> <init-param driver-name="org.gjt.mm.mysql.Driver"/> <init-param url="jdbc:mysql://localhost:3306/test"/> </resource-ref> <login-config auth-method='form'> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/error.html</form-error-page> </form-login-config> <!-- Resin-specific JdbcAuthenticator --> <authenticator id='com.caucho.http.security.JdbcAuthenticator'> <password-query> SELECT password FROM LOGIN WHERE username=? </password-query> </authenticator> </login-config> </http-server> Selects the authentication method. basicHTTP Basic authentication formForm-based authentication Configures authentication for forms. The login form has specific parameters that the servlet engine's login form processing understands. If the login succeeds, the user will see the original page. If it fails, she will see the error page. form-login-pageThe page to be used to prompt the user loginnone form-error-pageThe error page for unsuccessful loginnone internal-forwardUse an internal redirect on success or a sendRedirectfalse form-uri-priorityIf true, the form's j_uri will override a stored URIfalse The form itself must have the action . It must also have the parameters and . Optionally, it can also have and . gives the next page to display when login succeeds. allows Resin to send a persistent cookie to the user to make following login easier. gives control to the user whether to generate a persistent cookie. It lets you implement the "remember me" button. By default, the authentication only lasts for a single session. j_security_checkThe form's mandatory action j_usernameThe user name j_passwordThe password j_uriOptional Resin extension for the successful display page. j_use_cookie_authOptional Resin extension to allow cookie login. The following is an example of a servlet-standard login page: <form action='j_security_check' method='POST'> <table> <tr><td>User:<td><input name='j_username'> <tr><td>Password:<td><input name='j_password'> <tr><td colspan=2>hint: the password is 'quidditch' <tr><td><input type=submit> </table> </form> Specifies a class to authenticate users. This Resin-specific option lets you control your authentication. You can either create your own custom authenticator, or use Resin's JdbcAuthenticator. The authenticator is responsible for taking the username and password and returning a UserPrincipal if the username and password match. Users wanting to implement an authenticator should look at the JavaDoc for ServletAuthenticator and AbstractAuthenticator. To protect your application from API changes, you should extend AbstractAuthenticator rather than implementing Authenticator directly. The JdbcAuthenticator (com.caucho.http.security.JdbcAuthenticator), asks a backend database for the password matching the user's name. It uses the DataSource specified by the option, or the JNDI by default. refers to a DataSource configured with resource-ref. The following are the attributes for the JdbcAuthenticator: pool-nameThe database pool. Looks in the application attributes first, then in the global database pools. password-queryA SQL query to get the user's password. The default query is given below. cookie-auth-queryA SQL query to authenticate the user by a persistent cookie. cookie-auth-updateA SQL update to match a persistent cookie to a user. role-queryA SQL query to determine the user's role. By default, all users are in role "user", but no others. password-digestSpecifies the digest algorithm and format (Resin 2.0.4) <!-- Resin-specific JdbcAuthenticator --> <authenticator id='com.caucho.http.security.JdbcAuthenticator'> <pool-name>test</pool-name> <password-query> SELECT password FROM LOGIN WHERE username=? </password-query> <cookie-auth-query> SELECT username FROM LOGIN WHERE cookie=? </cookie-auth-query> <cookie-auth-update> UPDATE LOGIN SET cookie=? WHERE username=? </cookie-auth-update> <role-query> SELECT role FROM LOGIN WHERE username=? </role-query> </authenticator> Resin 2.0.4 adds the capability to store the digest of a password instead of the password itself. By using the password digest, the application can avoid storing the password in a form that someone can read. Setting password-digest of any authenticator extending AbstractAuthenticator will create a digest of the password. The password-digest has two parts: the digest algorithm and the encoding format. "MD5-base64" is a typical digest format. The authenticator will create a digest of the username and password. Since that digest is a byte array, it is then converted to a string. MD5(:) <authenticator> <class-name>com.caucho.http.security.XmlAuthenticator</class-name> <init-param password-digest='MD5-base64'/> <init-param user='harry:Syvian7bcPDKI261QvH9Cw:user'/> </authenticator> Of course, storing the digest password take a bit more work. When the user registers, the application needs to compute the digest to store it. You can use the PasswordDigest class to do that. import com.caucho.http.security.PasswordDigest; ... PasswordDigest digest = new PasswordDigest(); digest.setAlgorithm("MD5"); digest.setFormat("base64"); String password = digest.getDigestPassword("harry", "quidditch"); Selects protected areas of the web site. Sites using authentication as an optional personalization feature will typically not use any security constraints. Security constraints can also be custom classes. <security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint role-name='user'> </security-constraint> title='security-constraint/web-resource-collection'> Specifies a collection os areas of the web site. url-patternurl patterns describing the resource methodHTTP methods to be restricted. title='security-constraint/auth-constraint'> Requires that authenticated users fill the specified role. In Resin's JdbcAuthenticator, normal users are in the "user" role. Think of a role as a group of users. role-nameRoles which are allowed to access the resource. title='security-constraint/user-data-constraint'> Restricts access to secure transports, i.e. SSL transport-guaranteeRequired transport properties. NONE, INTEGRAL, and CONFIDENTIAL are allowed values.
