| Authorization with Resin |
| Digest Passwords |
| SSL |
Authorization is used to mark sections and resources of a web site that have limited access. are used to indicate the criteria for access, typically the constraint is based on a user login, but it can also include such things as limiting access to clients from a certain ip address and requiring that a secure transport such as SSL is in use.
| security-constraint |
Selects protected areas of the web site. Sites using authentication as an optional personalization feature will typically not use any security constraints. Sites using authentication to limit access to certain sections of the website to certain users will use security constraints.
Security constraints can also be custom classes.
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint role-name='user'/>
</security-constraint>
|
| web-resource-collection |
Specifies a collection of areas of the web site.
| url-pattern | url patterns describing the resource |
| http-method | HTTP methods to be restricted. |
| auth-constraint |
Requires that authenticated users fill the specified role. In Resin's JdbcAuthenticator, normal users are in the "user" role. Think of a role as a group of users.
| role-name | Roles which are allowed to access the resource. |
<security-constraint>
<auth-constraint role-name='webdav'/>
<web-resource-collection>
<url-pattern>/webdav/*</url-pattern>
</web-resource-collection>
</security-constraint>
|
| ip-constraint | 2.0.6 |
Requires that the remote address is in an IP network. ip-constraint is very useful for protecting administration resources to an internal network.
<security-constraint>
<ip-constraint>192.168.17.0/24</ip-constraint>
<web-resource-collection>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
</security-constraint>
|
| user-data-constraint |
Restricts access to secure transports, i.e. SSL.
| transport-guarantee | Required transport properties. NONE, INTEGRAL, and CONFIDENTIAL are allowed values. |
<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>
|
| transport-guarantee |
Restricts access to secure transports, i.e. SSL.
| constraint | Resin 2.0.1 |
Defines a custom constraint. The custom constraint specifies a which extends class com.caucho.server.security.AbstractConstraint . Bean-style initialization is used to initialize the constraint.
...
<security-constraint>
<constraint>
<bean-class>example.CustomSecurity</bean-class>
<init>
<policy>strict</policy>
</init>
</constraint>
<web-resource-collection url-pattern='/*'/>
</security-constraint>
...
|
| Custom Security Constraints |
Any custom security constraint is checked after any authentication (login) but before any filters or servlets are applied. The security constraint will return true if the request is allowed and false if it's forbidden. If the request is forbidden, it's the constraint's responsibility to return an error page.
package qa;
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import com.caucho.server.security.*;
public class CustomSecurity extends AbstractConstraint {
private String foo = "false";
public void setFoo(String foo)
{
this.foo = foo;
}
public boolean needsAuthentication()
return false;
}
public boolean isAuthorized(HttpServletRequest request,
HttpServletResponse response,
ServletContext application)
throws ServletException, IOException
{
if (foo.equals(request.getParameter("test")))
return true;
response.sendError(response.SC_FORBIDDEN);
return false;
}
}
|
The needsAuthentication method tells Resin that it needs to log in the user before checking the authorization. This would allow the custom authorizer to check user roles or the user principle for the proper permissions.
<constraint resin:type="qa.CustomSecurity"> <foo>test-value</foo> </constraint> |
| Protecting static files from viewing by anyone |
Sometimes it is necessary to protect files from being viewed by anyone, such as configuration files used in your code but not meant to be served to a browser.
Place files in WEB-INF
Place files in or a subdirectory of . Any files in or it's subdirectories will automatically be protected from viewing.
Security constraint requiring role nobody
Use a security constraint that requires a that nobody will ever have.
<web-app>
...
<!-- protect all .properties files -->
<security-constraint>
<web-resource-collection>
<url-pattern>*.properties</url-pattern>
</web-resource-collection>
<auth-constraint role-name='nobody'/>
</security-constraint>
<!-- protect the config/ subdirectory -->
<security-constraint>
<web-resource-collection>
<url-pattern>/config/*</url-pattern>
</web-resource-collection>
<auth-constraint role-name='nobody'/>
</security-constraint>
...
</web-app>
|
A servlet that returns a 403 error
Use a simple servlet that returns a 403 error, which means "Forbidden".
<web-app>
...
<servlet>
<servlet-name>forbidden</servlet-name>
<servlet-class>example.servlets.Forbidden</servlet-class>
</servlet>
<servlet-mapping url-pattern="*.properties" servlet-name="forbidden"/>
<servlet-mapping url-pattern="/config/*" servlet-name="forbidden"/>
...
</web-app>
|
package example.servlets;
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.IOException;
/**
* Respond with a 403 error
*/
public class Forbidden extends GenericServlet {
public void service(ServletRequest request, ServletResponse response)
throws ServletException, IOException
{
HttpServletResponse res = (HttpServletResponse) response;
res.sendError(403);
}
}
|
| Digest Passwords |
| SSL |
| Copyright © 1998-2003 Caucho Technology, Inc. All rights reserved. Resin® is a registered trademark, and HardCoretm and Quercustm are trademarks of Caucho Technology, Inc. |  |