Authenticator

From Resin 3.0

(Difference between revisions)
Jump to: navigation, search
 
Line 21: Line 21:
  
 
{{:JdbcAuthenticator}}
 
{{:JdbcAuthenticator}}
 +
 +
= JaasAuthenticator - using a JAAS LoginModule=
 +
 +
{{:JaasAuthenticator}}
 +
 +
= LDAP authentication =
 +
 +
{{:LDAP authentication}}

Revision as of 16:35, 4 January 2006


The <authenticator> tag configures Resin's built-in authentication for the Servlet login, i.e. to support getUserPrincipal and isUserInRole.

Contents

tags

tag description
jndi-name JNDI name to store the authenticator
type Java class implementing the authenticator
init Bean-style/Inversion of Control configuration for the authenticator

XmlAuthenticator

40px-Edit-clear.png This article requires cleanup and may refer to a legacy version of Resin.

Please visit http://www.caucho.com/documentation/ for the most up-to-date documentation.

The XmlAuthenticator is a simple authentication scheme where an XML file or a configuration file specifies the users directly. XmlAuthenticator is useful when you have a small number of known users.

<init> directives

directive description
logout-on-session-timeout If true, principals should be logged out when a session times out true
password-digest Password digest type of form: MD5-base64 MD5-base64
password-digest-algorithm Sets the password digest algorithm MD5
password-digest-realm Sets the realm to use for the digest resin
path Path to an XML file containing the configuration
principal-cache-size Size of the principal cache 4096
user Inline user configuration in the form "name:password:roles"

Example

resin-web.xml

<web-app xmlns="http://caucho.com/ns/resin">
  <authenticator>
    <type>com.caucho.server.security.XmlAuthenticator</type>
    <init>
      <password-digest>none</password-digest>
      <user>Harry Potter:quidditch:user</user>
    </init>
  </authenticator>
  ...
</web-app>

JdbcAuthenticator

40px-Edit-clear.png This article requires cleanup and may refer to a legacy version of Resin.

Please visit http://www.caucho.com/documentation/ for the most up-to-date documentation.

The JdbcAuthenticator uses a database to store user authentication.

<init> directives

directive description
cookie-auth-query Sets a query for cookie-based authentication
cookie-auth-update Sets the update SQL for cookie-based authentication
cookie-domain Sets the domain value for cookie-based authentication
cookie-logout If true remove cookie on logout
cookie-max-age Sets the max-age value for cookie-based authentication
cookie-version Sets the cookie version for cookie-based authentication
data-source Specifies the configured <database> required
logout-on-session-timeout If true, principals should be logged out when a session times out true
password-digest Password digest type of form: MD5-base64 MD5-base64
password-digest-algorithm Sets the password digest algorithm MD5
password-digest-realm Sets the realm to use for the digest resin
password-query Sets a custom password query
principal-cache-size Size of the principal cache 4096
role-query Specifies the query to test for a role
use-cookie If true, use the resinauth cookie

Example

resin-web.xml

<web-app xmlns="http://caucho.com/ns/resin">
  <database jndi-name="java:comp/env/jdbc/test">
    <driver type="org.postgresql.Driver">
      <url>jdbc:postgresql://localhost/test</url>
      <user>harry</user>
    </driver>
  </database>

  <authenticator>
    <type>com.caucho.server.security.JdbcAuthenticator</type>
    <init>
      <data-source>java:comp/env/jdbc/test</data-source>
    </init>
  </authenticator>
  ...
</web-app>


Here is how this needs to be configured for FORM authentication:

     <authenticator type='com.caucho.server.security.JdbcAuthenticator'>
       <init>
         <data-source>jdbc/MyDataSource</data-source>
         ...
         <password-digest>
            <realm>resin</realm>
            <algorithm>md5</algorithm>
            <format>base64</format>
         </password-digest>
       </init>
     </authenticator>

JaasAuthenticator - using a JAAS LoginModule

40px-Edit-clear.png This article requires cleanup and may refer to a legacy version of Resin.

Please visit http://www.caucho.com/documentation/ for the most up-to-date documentation.

Resin provides a JaasAuthenticator for the usage of any JAAS LoginModule. A number of JAAS LoginModule implementations are included with the JDK, and it is fairly easy to create your own,

Example

resin-web.xml

<web-app xmlns="http://caucho.com/ns/resin">

 <authenticator type="com.caucho.server.security.JaasAuthenticator">
     <init>
         <login-module>com.sun.security.auth.module.Krb5LoginModule</login-module>
         <init-param>
              <debug>true</debug>
        </init-param>
     </init>
 </authenticator>

</web-app>

<init-param> directives

<init-param> directives are used to configure the properties of the LoginModule. Existing LoginModules provide documentation of the init-param that are accepted. Custom LoginModule implementations retrieve the init-param values in the initialize method:

LoginModule implementation retrieves init-param

 public void initialize(Subject subject, 
                        CallbackHandler callbackHandler,
                        Map<String,?> sharedState,
                        Map<String,?> options) 
 {
 
   // initialize any configured options
   _isDebug = "true".equalsIgnoreCase((String) options.get("debug"));
   ...
 }

Custom LoginModule

import java.util.*;

import javax.security.auth.*;
import javax.security.auth.spi.*;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;

public class TestLoginModule implements javax.security.auth.spi.LoginModule {
    private Subject _subject;
    private CallbackHandler _handler;
    private Map _state;
 
    private String _userName;
    private String _password;

    public void initialize(Subject subject,
                               CallbackHandler handler,
                               Map sharedState,
                               Map options)
   {
       _subject = subject;
       _handler = handler;
       _state = sharedState;

       _userName = (String) _options.get("user");
       _password = (String) _options.get("password");
   }

   public boolean login()
       throws LoginException
   {
       NameCallback name = new NameCallback("");
       PasswordCallback password = new PasswordCallback("", false);
 
       _handler.handle(new Callback[] { name, password });

       if (_userName.equals(name.getName()) && 
           _password.equals(password.getPassword()) {
           _subject.getPrincipals().add(new TestPrincipal(_userName));
           return true;
       }
       else
            return false;
   }

   public boolean abort()
   {
       return true;
   }

   public boolean commit()
   {
       return _subject.getPrincipals().size() > 0;
   }

   public boolean logout()
   {
        return true;
   }
}


resin-web.xml

<web-app xmlns="http://caucho.com/ns/resin">

 <authenticator type="com.caucho.server.security.JaasAuthenticator">
     <init>
         <login-module>example.TestModule</login-module>
         <init-param>
              <user>Harry</user>
              <password>quidditch</password>
        </init-param>
     </init>
 </authenticator>

</web-app>

isUserInRole

The isUserInRole method can be supported by providing either an isUserInRole method in the Principal returned by the LoginModule, or a getRoles() method returning a java.util.Set. (requires 3.0.19)

LDAP authentication

The Sun JDK includes a JndiLoginModule, which in turn is used with Resin's JaasAuthenticator to authenticate against an LDAP server.

Example

resin-web.xml

<web-app xmlns="http://caucho.com/ns/resin">
  <authenticator type="com.caucho.server.security.JaasAuthenticator">
   <init>
     <login-module>com.sun.security.auth.module.JndiLoginModule</login-module>

     <init-param user.provider.url="ldap://ldap.hogwarts.com/ou=People"/>
     <init-param group.provider.url="ldap://ldap.hogwarts.com/ou=Groups"/>

     <init-param debug="true"/>
   </init>
  </authenticator>
</web-app>

<init-param> directives

directive description default
debug If true, show debug information on stdout false
Personal tools