How to password-protect pages with HTTP basic
From Resin 3.0
(Difference between revisions)
(New page: (Note, this applies to Resin 4.0) If I want to protect a section of a website for administration purposes, I need to configure three things: # An Authenticator to specify users, password...) |
|||
Line 1: | Line 1: | ||
+ | [[Category:HowTo]] | ||
+ | |||
(Note, this applies to Resin 4.0) | (Note, this applies to Resin 4.0) | ||
Revision as of 07:14, 14 January 2009
(Note, this applies to Resin 4.0)
If I want to protect a section of a website for administration purposes, I need to configure three things:
- An Authenticator to specify users, passwords, and groups
- A Login method to log in users via the browser
- An Allow or Deny block to specify authorization requirements, i.e. who can see my pages.
For the example, I use an XmlAuthenticator when I have a small list of users and don't want the hassle of configuring a database.
I use <BasicLogin> for quick testing or internal websites. For anything more complicated, I would use a <FormLogin>.
<Allow> specifies the URLs to be protected and the authorization requirements. In this case, I'm just allowing users in the "admin" group.
<web-app xmlns="http://caucho.com/ns/resin"
xmlns:sec="urn:java:com.caucho.security">
<sec:XmlAuthenticator password-digest="none">
<sec:user name="harry" password="quidditch" group="admin"/>
</sec:XmlAuthenticator>
<sec:BasicLogin/>
<sec:Allow url-pattern="/protected/*">
<sec:IfRole name="admin"/>
</sec:Allow>
</web-app>
This simple example can be improved easily.
- If I want to protect the passwords, I'd save the passwords as a MD5 hash and remove the password-digest="none". (This is always a good idea, but makes examples harder to read. You should always use a digest in your own configuration.)
- If I want to manage the users in a database, I'd use <DatabaseAuthenticator>
- If I want a nicer login method, I'd use <FormLogin> and design my own pages
- If I want a more sophisticated permissions and group mapping, I'd add a <RoleMap>.