How to password-protect pages with HTTP basic

Latest revision as of 17:37, 15 January 2009

(Note, this applies to Resin 4.0)

If I want to protect a section of a website for administration purposes, I need to configure three things:

1. An Authenticator to specify users, passwords, and groups
2. A Login method to log in users via the browser
3. An Allow or Deny block to specify authorization requirements, i.e. who can see my pages.

I use an XmlAuthenticator when I have a small list of users and don't want the hassle of configuring a database.

I use <BasicLogin> for quick testing or internal websites. For anything more complicated, I would use a <FormLogin>.

<Allow> specifies the URLs to be protected and the authorization requirements. In this case, I'm just allowing users in the "admin" group.

<web-app xmlns="http://caucho.com/ns/resin"
          xmlns:sec="urn:java:com.caucho.security">

  <sec:XmlAuthenticator password-digest="none">
     <sec:user name="harry" password="quidditch" group="admin"/>
  </sec:XmlAuthenticator>

  <sec:BasicLogin/>

  <sec:Allow url-pattern="/protected/*">
    <sec:IfRole name="admin"/>
  </sec:Allow>
</web-app>

This simple example can be improved easily.

1. If I want to protect the passwords, I'd save the passwords as a MD5 hash and remove the password-digest="none". (This is always a good idea, but makes examples harder to read. You should always use a digest in your own configuration.)
2. If I want to manage the users in a database, I'd use <DatabaseAuthenticator>
3. If I want a nicer login method, I'd use <FormLogin> and design my own pages
4. If I want a more sophisticated permissions and group mapping, I'd add a <RoleMap>.