Custom Authenticator and CustomLogin
From Resin 3.0
(Difference between revisions)
(New page: Category: Cookbook Category: Security When your application wants to save and restore login information from a custom cookie, or wants to access the request and response during th...) |
Latest revision as of 17:37, 21 October 2011
When your application wants to save and restore login information from a custom cookie, or wants to access the request and response during the login, you can create a custom Login to go with your authenticator.
- Login - Servlet-aware class responsible for extracting credentials (passwords) and issuing challenges (http responses)
- Authenticator - general class responsible for verifying a password for a user
Since cookies are part of the servlet capabilities, they belong in a custom Login.
Contents |
[edit] Example
The example uses a custom Login to create a cookie named "test-save" with the user's name.
When the user accesses the site, the login() method will check for the cookie and log the user in automatically if it exists.
If the user isn't logged in, the login() method will default to the FormLogin behavior. On success, it will save the username in the cookie.
Warning: a real system would generate random cookie values instead of the username.
[edit] WEB-INF/resin-web.xml
<web-app xmlns="http://caucho.com/ns/resin" xmlns:resin="urn:java:com.caucho.resin" xmlns:qa="urn:java:qa"> <qa:MyAuthenticator/> <qa:MyLogin form-login-page="/login.jsp" form-error-page="/error.jsp"/> <resin:Allow url-pattern="/admin/*"> <resin:IfUserInRole role="admin"/> </resin:Allow> </web-app>
[edit] test.MyAuthenticator
package qa;
import java.security.*;
import com.caucho.security.*;
public class TestAuthenticator extends AbstractAuthenticator {
@Override
public Principal authenticate(Principal principal, char []password)
{
if (principal.getName().equals("harry")
&& "quidditch".equals(new String(password))) {
return new MyPrincipal("harry");
}
else {
return null;
}
}
@Override
public boolean isUserInRole(Principal user, String role)
{
return "admin".equals(role)
&& user != null && user.getName().equals("harry");
}
}
[edit] MyLogin.java
package qa;
import java.security.*;
import javax.servlet.*;
import javax.servlet.http.*;
import com.caucho.security.*;
public class MyLogin extends FormLogin {
@Override
protected Principal login(HttpServletRequest request,
HttpServletResponse response)
{
if (request.getCookies() != null) {
for (Cookie cookie : request.getCookies()) {
if (cookie.getName().equals("test-save"))
return new MyPrincipal(cookie.getValue());
}
}
Principal user = super.login(request, response);
if (user != null)
response.addCookie(new Cookie("test-save", user.getName()));
return user;
}
}
[edit] login.jsp
<html> <form url='j_security_check'> User: <input type='text' name='j_username'><br> Password: <input type='password' name='j_password'><br> <input type='submit'> </form> </html>
[edit] error.jsp
<html> <h1>failed login</h1> User: <input type='text' name='j_username'><br> Password: <input type='password' name='j_password'><br> <input type='submit'> </form> </html>
