How to password-protect pages with HTTP basic
From Resin 3.0
(Difference between revisions)
m (How to restrict pages to an authentication group moved to How to password-protect pages with HTTP basic) |
|||
(One intermediate revision by one user not shown) | |||
Line 9: | Line 9: | ||
# An Allow or Deny block to specify authorization requirements, i.e. who can see my pages. | # An Allow or Deny block to specify authorization requirements, i.e. who can see my pages. | ||
− | + | I use an [[XmlAuthenticator]] when I have a small list of users and don't want the hassle of configuring a database. | |
I use <[[BasicLogin]]> for quick testing or internal websites. For anything more complicated, I would use a <[[FormLogin]]>. | I use <[[BasicLogin]]> for quick testing or internal websites. For anything more complicated, I would use a <[[FormLogin]]>. |
Latest revision as of 17:37, 15 January 2009
(Note, this applies to Resin 4.0)
If I want to protect a section of a website for administration purposes, I need to configure three things:
- An Authenticator to specify users, passwords, and groups
- A Login method to log in users via the browser
- An Allow or Deny block to specify authorization requirements, i.e. who can see my pages.
I use an XmlAuthenticator when I have a small list of users and don't want the hassle of configuring a database.
I use <BasicLogin> for quick testing or internal websites. For anything more complicated, I would use a <FormLogin>.
<Allow> specifies the URLs to be protected and the authorization requirements. In this case, I'm just allowing users in the "admin" group.
<web-app xmlns="http://caucho.com/ns/resin"
xmlns:sec="urn:java:com.caucho.security">
<sec:XmlAuthenticator password-digest="none">
<sec:user name="harry" password="quidditch" group="admin"/>
</sec:XmlAuthenticator>
<sec:BasicLogin/>
<sec:Allow url-pattern="/protected/*">
<sec:IfRole name="admin"/>
</sec:Allow>
</web-app>
This simple example can be improved easily.
- If I want to protect the passwords, I'd save the passwords as a MD5 hash and remove the password-digest="none". (This is always a good idea, but makes examples harder to read. You should always use a digest in your own configuration.)
- If I want to manage the users in a database, I'd use <DatabaseAuthenticator>
- If I want a nicer login method, I'd use <FormLogin> and design my own pages
- If I want a more sophisticated permissions and group mapping, I'd add a <RoleMap>.