Authenticator
From Resin 3.0
| Line 21: | Line 21: | ||
{{:JdbcAuthenticator}} | {{:JdbcAuthenticator}} | ||
| + | |||
| + | = JaasAuthenticator - using a JAAS LoginModule= | ||
| + | |||
| + | {{:JaasAuthenticator}} | ||
| + | |||
| + | = LDAP authentication = | ||
| + | |||
| + | {{:LDAP authentication}} | ||
Revision as of 16:35, 4 January 2006
The <authenticator> tag configures Resin's built-in authentication for the Servlet login, i.e. to support getUserPrincipal and isUserInRole.
Contents |
tags
| tag | description |
|---|---|
| jndi-name | JNDI name to store the authenticator |
| type | Java class implementing the authenticator |
| init | Bean-style/Inversion of Control configuration for the authenticator |
XmlAuthenticator
|
This article requires cleanup and may refer to a legacy version of Resin.
Please visit http://www.caucho.com/documentation/ for the most up-to-date documentation. |
The XmlAuthenticator is a simple authentication scheme where an XML file or a configuration file specifies the users directly. XmlAuthenticator is useful when you have a small number of known users.
<init> directives
| directive | description | |
|---|---|---|
| logout-on-session-timeout | If true, principals should be logged out when a session times out | true |
| password-digest | Password digest type of form: MD5-base64 | MD5-base64 |
| password-digest-algorithm | Sets the password digest algorithm | MD5 |
| password-digest-realm | Sets the realm to use for the digest | resin |
| path | Path to an XML file containing the configuration | |
| principal-cache-size | Size of the principal cache | 4096 |
| user | Inline user configuration in the form "name:password:roles" |
Example
resin-web.xml
<web-app xmlns="http://caucho.com/ns/resin"> <authenticator> <type>com.caucho.server.security.XmlAuthenticator</type> <init> <password-digest>none</password-digest> <user>Harry Potter:quidditch:user</user> </init> </authenticator> ... </web-app>
JdbcAuthenticator
|
|
This article requires cleanup and may refer to a legacy version of Resin.
Please visit http://www.caucho.com/documentation/ for the most up-to-date documentation. |
The JdbcAuthenticator uses a database to store user authentication.
<init> directives
| directive | description | |
|---|---|---|
| cookie-auth-query | Sets a query for cookie-based authentication | |
| cookie-auth-update | Sets the update SQL for cookie-based authentication | |
| cookie-domain | Sets the domain value for cookie-based authentication | |
| cookie-logout | If true remove cookie on logout | |
| cookie-max-age | Sets the max-age value for cookie-based authentication | |
| cookie-version | Sets the cookie version for cookie-based authentication | |
| data-source | Specifies the configured <database> | required |
| logout-on-session-timeout | If true, principals should be logged out when a session times out | true |
| password-digest | Password digest type of form: MD5-base64 | MD5-base64 |
| password-digest-algorithm | Sets the password digest algorithm | MD5 |
| password-digest-realm | Sets the realm to use for the digest | resin |
| password-query | Sets a custom password query | |
| principal-cache-size | Size of the principal cache | 4096 |
| role-query | Specifies the query to test for a role | |
| use-cookie | If true, use the resinauth cookie |
Example
resin-web.xml
<web-app xmlns="http://caucho.com/ns/resin"> <database jndi-name="java:comp/env/jdbc/test"> <driver type="org.postgresql.Driver"> <url>jdbc:postgresql://localhost/test</url> <user>harry</user> </driver> </database> <authenticator> <type>com.caucho.server.security.JdbcAuthenticator</type> <init> <data-source>java:comp/env/jdbc/test</data-source> </init> </authenticator> ... </web-app>
Here is how this needs to be configured for FORM authentication:
<authenticator type='com.caucho.server.security.JdbcAuthenticator'>
<init>
<data-source>jdbc/MyDataSource</data-source>
...
<password-digest>
<realm>resin</realm>
<algorithm>md5</algorithm>
<format>base64</format>
</password-digest>
</init>
</authenticator>
JaasAuthenticator - using a JAAS LoginModule
|
|
This article requires cleanup and may refer to a legacy version of Resin.
Please visit http://www.caucho.com/documentation/ for the most up-to-date documentation. |
Resin provides a JaasAuthenticator for the usage of any JAAS LoginModule. A number of JAAS LoginModule implementations are included with the JDK, and it is fairly easy to create your own,
Example
resin-web.xml
<web-app xmlns="http://caucho.com/ns/resin"> <authenticator type="com.caucho.server.security.JaasAuthenticator"> <init> <login-module>com.sun.security.auth.module.Krb5LoginModule</login-module> <init-param> <debug>true</debug> </init-param> </init> </authenticator> </web-app>
<init-param> directives
<init-param> directives are used to configure the properties of the LoginModule. Existing LoginModules provide documentation of the init-param that are accepted. Custom LoginModule implementations retrieve the init-param values in the initialize method:
LoginModule implementation retrieves init-param
public void initialize(Subject subject,
CallbackHandler callbackHandler,
Map<String,?> sharedState,
Map<String,?> options)
{
// initialize any configured options
_isDebug = "true".equalsIgnoreCase((String) options.get("debug"));
...
}
Custom LoginModule
import java.util.*;
import javax.security.auth.*;
import javax.security.auth.spi.*;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
public class TestLoginModule implements javax.security.auth.spi.LoginModule {
private Subject _subject;
private CallbackHandler _handler;
private Map _state;
private String _userName;
private String _password;
public void initialize(Subject subject,
CallbackHandler handler,
Map sharedState,
Map options)
{
_subject = subject;
_handler = handler;
_state = sharedState;
_userName = (String) _options.get("user");
_password = (String) _options.get("password");
}
public boolean login()
throws LoginException
{
NameCallback name = new NameCallback("");
PasswordCallback password = new PasswordCallback("", false);
_handler.handle(new Callback[] { name, password });
if (_userName.equals(name.getName()) &&
_password.equals(password.getPassword()) {
_subject.getPrincipals().add(new TestPrincipal(_userName));
return true;
}
else
return false;
}
public boolean abort()
{
return true;
}
public boolean commit()
{
return _subject.getPrincipals().size() > 0;
}
public boolean logout()
{
return true;
}
}
resin-web.xml
<web-app xmlns="http://caucho.com/ns/resin"> <authenticator type="com.caucho.server.security.JaasAuthenticator"> <init> <login-module>example.TestModule</login-module> <init-param> <user>Harry</user> <password>quidditch</password> </init-param> </init> </authenticator> </web-app>
isUserInRole
The isUserInRole method can be supported by providing either an isUserInRole method in the Principal returned by the LoginModule, or a getRoles() method returning a java.util.Set. (requires 3.0.19)
LDAP authentication
The Sun JDK includes a JndiLoginModule, which in turn is used with Resin's JaasAuthenticator to authenticate against an LDAP server.
Example
resin-web.xml
<web-app xmlns="http://caucho.com/ns/resin"> <authenticator type="com.caucho.server.security.JaasAuthenticator"> <init> <login-module>com.sun.security.auth.module.JndiLoginModule</login-module> <init-param user.provider.url="ldap://ldap.hogwarts.com/ou=People"/> <init-param group.provider.url="ldap://ldap.hogwarts.com/ou=Groups"/> <init-param debug="true"/> </init> </authenticator> </web-app>
<init-param> directives
| directive | description | default |
|---|---|---|
| debug | If true, show debug information on stdout | false |
