Authenticator
From Resin 3.0
(renamed tag to directive) |
|||
Line 1: | Line 1: | ||
[[Category:Configuration]] [[Category:Security]] | [[Category:Configuration]] [[Category:Security]] | ||
− | The <authenticator> | + | The <authenticator> directive configures Resin's built-in authentication for the Servlet login, i.e. to support [[getUserPrincipal]] and [[isUserInRole]]. |
− | = | + | = directives = |
{| | {| | ||
− | ! | + | !directive||description |
|- | |- | ||
||jndi-name||[[JNDI]] name to store the authenticator | ||jndi-name||[[JNDI]] name to store the authenticator |
Revision as of 20:20, 21 February 2006
The <authenticator> directive configures Resin's built-in authentication for the Servlet login, i.e. to support getUserPrincipal and isUserInRole.
Contents |
directives
directive | description |
---|---|
jndi-name | JNDI name to store the authenticator |
type | Java class implementing the authenticator |
init | Bean-style/Inversion of Control configuration for the authenticator |
XmlAuthenticator
This article requires cleanup and may refer to a legacy version of Resin.
Please visit http://www.caucho.com/documentation/ for the most up-to-date documentation. |
The XmlAuthenticator is a simple authentication scheme where an XML file or a configuration file specifies the users directly. XmlAuthenticator is useful when you have a small number of known users.
<init> directives
directive | description | |
---|---|---|
logout-on-session-timeout | If true, principals should be logged out when a session times out | true |
password-digest | Password digest type of form: MD5-base64 | MD5-base64 |
password-digest-algorithm | Sets the password digest algorithm | MD5 |
password-digest-realm | Sets the realm to use for the digest | resin |
path | Path to an XML file containing the configuration | |
principal-cache-size | Size of the principal cache | 4096 |
user | Inline user configuration in the form "name:password:roles" |
Example
resin-web.xml
<web-app xmlns="http://caucho.com/ns/resin"> <authenticator> <type>com.caucho.server.security.XmlAuthenticator</type> <init> <password-digest>none</password-digest> <user>Harry Potter:quidditch:user</user> </init> </authenticator> ... </web-app>
JdbcAuthenticator
This article requires cleanup and may refer to a legacy version of Resin.
Please visit http://www.caucho.com/documentation/ for the most up-to-date documentation. |
The JdbcAuthenticator uses a database to store user authentication.
<init> directives
directive | description | |
---|---|---|
cookie-auth-query | Sets a query for cookie-based authentication | |
cookie-auth-update | Sets the update SQL for cookie-based authentication | |
cookie-domain | Sets the domain value for cookie-based authentication | |
cookie-logout | If true remove cookie on logout | |
cookie-max-age | Sets the max-age value for cookie-based authentication | |
cookie-version | Sets the cookie version for cookie-based authentication | |
data-source | Specifies the configured <database> | required |
logout-on-session-timeout | If true, principals should be logged out when a session times out | true |
password-digest | Password digest type of form: MD5-base64 | MD5-base64 |
password-digest-algorithm | Sets the password digest algorithm | MD5 |
password-digest-realm | Sets the realm to use for the digest | resin |
password-query | Sets a custom password query | |
principal-cache-size | Size of the principal cache | 4096 |
role-query | Specifies the query to test for a role | |
use-cookie | If true, use the resinauth cookie |
Example
resin-web.xml
<web-app xmlns="http://caucho.com/ns/resin"> <database jndi-name="java:comp/env/jdbc/test"> <driver type="org.postgresql.Driver"> <url>jdbc:postgresql://localhost/test</url> <user>harry</user> </driver> </database> <authenticator> <type>com.caucho.server.security.JdbcAuthenticator</type> <init> <data-source>java:comp/env/jdbc/test</data-source> </init> </authenticator> ... </web-app>
Here is how this needs to be configured for FORM authentication:
<authenticator type='com.caucho.server.security.JdbcAuthenticator'> <init> <data-source>jdbc/MyDataSource</data-source> ... <password-digest> <realm>resin</realm> <algorithm>md5</algorithm> <format>base64</format> </password-digest> </init> </authenticator>
JaasAuthenticator - using a JAAS LoginModule
This article requires cleanup and may refer to a legacy version of Resin.
Please visit http://www.caucho.com/documentation/ for the most up-to-date documentation. |
Resin provides a JaasAuthenticator for the usage of any JAAS LoginModule. A number of JAAS LoginModule implementations are included with the JDK, and it is fairly easy to create your own,
Example
resin-web.xml
<web-app xmlns="http://caucho.com/ns/resin"> <authenticator type="com.caucho.server.security.JaasAuthenticator"> <init> <login-module>com.sun.security.auth.module.Krb5LoginModule</login-module> <init-param> <debug>true</debug> </init-param> </init> </authenticator> </web-app>
<init-param> directives
<init-param> directives are used to configure the properties of the LoginModule. Existing LoginModules provide documentation of the init-param that are accepted. Custom LoginModule implementations retrieve the init-param values in the initialize method:
LoginModule implementation retrieves init-param
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options) { // initialize any configured options _isDebug = "true".equalsIgnoreCase((String) options.get("debug")); ... }
Custom LoginModule
import java.util.*; import javax.security.auth.*; import javax.security.auth.spi.*; import javax.security.auth.callback.*; import javax.security.auth.login.*; public class TestLoginModule implements javax.security.auth.spi.LoginModule { private Subject _subject; private CallbackHandler _handler; private Map _state; private String _userName; private String _password; public void initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options) { _subject = subject; _handler = handler; _state = sharedState; _userName = (String) _options.get("user"); _password = (String) _options.get("password"); } public boolean login() throws LoginException { NameCallback name = new NameCallback(""); PasswordCallback password = new PasswordCallback("", false); _handler.handle(new Callback[] { name, password }); if (_userName.equals(name.getName()) && _password.equals(password.getPassword()) { _subject.getPrincipals().add(new TestPrincipal(_userName)); return true; } else return false; } public boolean abort() { return true; } public boolean commit() { return _subject.getPrincipals().size() > 0; } public boolean logout() { return true; } }
resin-web.xml
<web-app xmlns="http://caucho.com/ns/resin"> <authenticator type="com.caucho.server.security.JaasAuthenticator"> <init> <login-module>example.TestModule</login-module> <init-param> <user>Harry</user> <password>quidditch</password> </init-param> </init> </authenticator> </web-app>
isUserInRole
The isUserInRole
method can be supported by providing either an isUserInRole
method in the Principal
returned by the LoginModule, or a getRoles()
method returning a java.util.Set. (requires 3.0.19)
LDAP authentication
The Sun JDK includes a JndiLoginModule, which in turn is used with Resin's JaasAuthenticator to authenticate against an LDAP server.
Example
resin-web.xml
<web-app xmlns="http://caucho.com/ns/resin"> <authenticator type="com.caucho.server.security.JaasAuthenticator"> <init> <login-module>com.sun.security.auth.module.JndiLoginModule</login-module> <init-param user.provider.url="ldap://ldap.hogwarts.com/ou=People"/> <init-param group.provider.url="ldap://ldap.hogwarts.com/ou=Groups"/> <init-param debug="true"/> </init> </authenticator> </web-app>
<init-param> directives
directive | description | default |
---|---|---|
debug | If true, show debug information on stdout | false |