caucho
Resin 1.1
FAQ
Reference
JavaDoc
Demo
Java Tutorial

Getting Started
Configuration
Servlet
JSP
XTP/XSL
JavaScript
JS Library

Resin Config
HTTP Config
App Config
Servlet Config
Login Config
Taglib Config
Virtual Hosts
Caching
 Authentication Configuration

web-app/login-config
auth-method Selects the authentication method.
form-login-config Configures authentication for forms.
authenticator Specifies a class to authenticate users.
security-constraint Selects protected areas of the web site.
security-constraint/web-resource-collection Specifies a collection os areas of the web site.
security-constraint/auth-constraint Requires that authenticated users fill the specified role.
security-constraint/user-data-constraint Restricts access to secure transports, i.e. SSL

<http-server>
  <!-- Resin DBPool for the JdbcAuthenticator -->
  <db-pool id="my-db-pool"
     driver="org.gjt.mm.mysql.Driver"
     url="jdbc:mysql://localhost:3306/test"
     user=""
     password=""/>
     
  <login-config auth-method='form'>
    <form-login-config>
      <form-login-page='/login.html'/>
      <form-error-page='/error.html'/>
    </form-login-config>
    
    <!-- Resin-specific JdbcAuthenticator -->
    <authenticator id='com.caucho.server.http.JdbcAuthenticator'>
      <password-query>
        SELECT password FROM LOGIN WHERE username=?
      </password-query>
    </authenticator>
  </login-config>
</http-server>

web-app/login-config

auth-method

Selects the authentication method.

basic HTTP Basic authentication
form Form-based authentication

form-login-config

Configures authentication for forms. The login form has specific parameters that the servlet engine's login form processing understands. If the login succeeds, the user will see the original page. If it fails, she will see the error page.

form-login-page The page to be used to prompt the user login
form-error-page The error page for unsuccessful login

The form itself must have the action j_security_check. It must also have the parameters j_username and j_password. Optionally, it can also have j_uri and j_use_cookie_auth. j_uri gives the next page to display when login succeeds. j_use_cookie_auth allows Resin to send a persistent cookie to the user to make following login easier.

j_security_check The form's mandatory action
j_username The user name
j_password The password
j_uri Optional Resin extension for the successful display page.
j_use_cookie_auth Optional Resin extension to allow cookie login.

The following is an example of a servlet-standard login page:

<form action='j_security_check' method='POST'>
<table>
<tr><td>User:<td><input name='j_username'>
<tr><td>Password:<td><input name='j_password'>
<tr><td colspan=2>hint: the password is 'quidditch'
<tr><td><input type=submit>
</table>
</form>

authenticator

Resin 1.1

Specifies a class to authenticate users. This Resin-specific option lets you control your authentication. You can either create your own custom authenticator, or use Resin's JdbcAuthenticator.

The JdbcAuthenticator (com.caucho.server.http.JdbcAuthenticator), asks a backend database for the password matching the user's name. It uses the DBPool specified by the db-pool option, or caucho.db-pool by default. db-pool refers to an application attribute with the given name or to a global dbpool.sql.

The following are the attributes for the JdbcAuthenticator:

db-pool The database pool. Looks in the application attributes first, then in the global database pools.
password-query A SQL query to get the user's password. The default query is given below.
cookie-auth-query A SQL query to authenticate the user by a persistent cookie.
cookie-auth-update A SQL update to match a persistent cookie to a user.
role-query A SQL query to determine the user's role. By default, all users are in role "user", but no others.

<!-- Resin-specific JdbcAuthenticator -->
<authenticator id='com.caucho.server.http.JdbcAuthenticator'>
  <db-pool>test</db-pool>
  <password-query>
    SELECT password FROM LOGIN WHERE username=?
  </password-query>
  <cookie-auth-query>
    SELECT username FROM LOGIN WHERE cookie=?
  </cookie-auth-query>
  <cookie-update-query>
    UPDATE LOGIN SET cookie=? WHERE username=?
  </cookie-update-query>
  <role-query>
    SELECT role FROM LOGIN WHERE username=?
  </role-query>
</authenticator>

security-constraint

Selects protected areas of the web site. Sites using authentication as an optional personalization feature will typically not use any security constraints.

<security-constraint>
  <web-resource-collection>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint role-name='user'>
</security-constraint>

security-constraint/web-resource-collection

Specifies a collection os areas of the web site.

url-pattern url patterns describing the resource
method HTTP methods to be restricted.

security-constraint/auth-constraint

Requires that authenticated users fill the specified role. In Resin's JdbcAuthenticator, normal users are in the "user" role. Think of a role as a group of users.

role-name Roles which are allowed to access the resource.

security-constraint/user-data-constraint

Restricts access to secure transports, i.e. SSL

transport-guarantee Required transport properties. NONE, INTEGRAL, and CONFIDENTIAL are allowed values.

Servlet Config   Taglib Config
Copyright © 1998-2000 Caucho Technology. All rights reserved.
Last modified: Thu, 02 Mar 2000 11:58:26 -0800 (PST)