How to password-protect pages with HTTP basic

From Resin 3.0

(Difference between revisions)
Jump to: navigation, search
(New page: (Note, this applies to Resin 4.0) If I want to protect a section of a website for administration purposes, I need to configure three things: # An Authenticator to specify users, password...)
 
 
(2 intermediate revisions by one user not shown)
Line 1: Line 1:
 +
[[Category:HowTo]]
 +
 
(Note, this applies to Resin 4.0)
 
(Note, this applies to Resin 4.0)
  
Line 7: Line 9:
 
# An Allow or Deny block to specify authorization requirements, i.e. who can see my pages.
 
# An Allow or Deny block to specify authorization requirements, i.e. who can see my pages.
  
For the example, I use an [[XmlAuthenticator]] when I have a small list of users and don't want the hassle of configuring a database.
+
I use an [[XmlAuthenticator]] when I have a small list of users and don't want the hassle of configuring a database.
  
 
I use <[[BasicLogin]]> for quick testing or internal websites.  For anything more complicated, I would use a <[[FormLogin]]>.
 
I use <[[BasicLogin]]> for quick testing or internal websites.  For anything more complicated, I would use a <[[FormLogin]]>.

Latest revision as of 17:37, 15 January 2009


(Note, this applies to Resin 4.0)

If I want to protect a section of a website for administration purposes, I need to configure three things:

  1. An Authenticator to specify users, passwords, and groups
  2. A Login method to log in users via the browser
  3. An Allow or Deny block to specify authorization requirements, i.e. who can see my pages.
I use an XmlAuthenticator when I have a small list of users and don't want the hassle of configuring a database.

I use <BasicLogin> for quick testing or internal websites. For anything more complicated, I would use a <FormLogin>.

<Allow> specifies the URLs to be protected and the authorization requirements. In this case, I'm just allowing users in the "admin" group.

<web-app xmlns="http://caucho.com/ns/resin"
          xmlns:sec="urn:java:com.caucho.security">

  <sec:XmlAuthenticator password-digest="none">
     <sec:user name="harry" password="quidditch" group="admin"/>
  </sec:XmlAuthenticator>

  <sec:BasicLogin/>

  <sec:Allow url-pattern="/protected/*">
    <sec:IfRole name="admin"/>
  </sec:Allow>
</web-app>

This simple example can be improved easily.

  1. If I want to protect the passwords, I'd save the passwords as a MD5 hash and remove the password-digest="none". (This is always a good idea, but makes examples harder to read. You should always use a digest in your own configuration.)
  2. If I want to manage the users in a database, I'd use <DatabaseAuthenticator>
  3. If I want a nicer login method, I'd use <FormLogin> and design my own pages
  4. If I want a more sophisticated permissions and group mapping, I'd add a <RoleMap>.
Personal tools