resin authorization
| authentication method | ssl |
The <resin:Allow> tag is used to secure a particular URL pattern. Because it is affirmative, it must always include a nested condition expressing an authorization constraint. All access attempts that do not satisfy the authorization rule are denied access. This tag is the most common type of top level authorization tag.
| url-pattern | URL pattern describing the resource to be secured. |
| http-method | HTTP methods that the restriction applies to. |
<web-app xmlns="http://caucho.com/ns/resin"
xmlns:resin="urn:java:com.caucho.resin">
...
<resin:Allow url-pattern="/*">
<resin:IfUserInRole role="user"/>
</resin:Allow>
...
</web-app>
The <resin:Deny> tag is the opposite of the top level <resin:Allow>. It restricts access to a particular URL pattern based on any nested conditions. Access attempts that match the condition are denied access. If no conditions are specified, all access to a URL pattern is restricted.
| url-pattern | URL pattern describing the resource to be secured. |
| http-method | HTTP methods that the restriction applies to. |
<web-app xmlns="http://caucho.com/ns/resin"
xmlns:resin="urn:java:com.caucho.resin">
...
<!-- protect all .properties files -->
<resin:Deny url-pattern="*.properties"/>
<!-- protect the config/ subdirectory -->
<resin:Deny url-pattern="/config/*"/>
...
</web-app>
The resin:IfUserInRole condition enforces role-based security. It requires that authenticated users have a specified role.
| ATTRIBUTE | DESCRIPTION |
|---|---|
| role | Roles which are allowed to access the resource. |
The following is an example of how <resin:IfUserInRole> might be used:
<web-app xmlns="http://caucho.com/ns/resin"
xmlns:resin="urn:java:com.caucho.resin">
...
<resin:Allow url-pattern="/webdav/*">
<resin:IfUserInRole role='webdav'/>
</resin:Allow>
...
</web-app>
The <resin:IfNetwork> tag allows or denies requests based on the IP address of the client. IP-constraint is very useful for protecting administration resources to an internal network. It can also be useful for denying service to known problem IPs.
| ATTRIBUTE | DESCRIPTION | DEFAULT |
|---|---|---|
| value | An IP address to match (multiple allowed). | N/A |
| cache-size | The size of the IP address LRU cache used for performance. | 256 |
The /24 in the IP 192.168.17.0/24
means that the first 24 bits of the IP are matched - any IP address
that begins with 192.168.17. will match. The usage of
is optional.
<web-app xmlns="http://caucho.com/ns/resin"
xmlns:resin="urn:java:com.caucho.resin">
...
<resin:Allow url-pattern="/admin/*">
<resin:IfNetwork value="192.168.17.0/24"/>
</resin:Allow>
...
</web-app>
The following example shows how the tag can be used to construct an IP block list:
<web-app xmlns="http://caucho.com/ns/resin"
xmlns:resin="urn:java:com.caucho.resin">
...
<resin:Deny>
<resin:IfNetwork>
<resin:value>205.11.12.3</resin:value>
<resin:value>213.43.62.45</resin:value>
<resin:value>123.4.45.6</resin:value>
<resin:value>233.15.25.35</resin:value>
<resin:value>233.14.87.12</resin:value>
</resin:IfNetwork>
</resin:Deny>
...
</web-app>
Be careful with deny - some ISP's (like AOL) use proxies and the IP of many different users may appear to be the same IP to your server.
If only is used, then all IPs are allowed if they
do not match a deny. If only is used,
then an IP is denied unless it matches an allow. If both
are used, then the IP must match both an allow and a
deny
The <resin:IfSecure> tag restricts access to secure transports, usually SSL.
| ATTRIBUTE | DESCRIPTION | DEFAULT |
|---|---|---|
| value | A boolean value against which HttpServletRequest.isSecure is matched. | true |
In the following example, all pages in the web application are enforced to be accessible via SSL only.
<web-app xmlns="http://caucho.com/ns/resin"
xmlns:resin="urn:java:com.caucho.resin"
...
<resin:Allow>
<resin:IfSecure/>
</resin:Allow>
...
</web-app>
The default behaviour is for Resin to rewrite any URL that starts with "http:" by replacing the "http:" part with "https:", and then send a redirect to the browser because this configuration.
If the default rewriting of the host is not appropriate, you can set the secure-host-name for the host:
<resin xmlns="http://caucho.com/ns/resin">
<cluster id="app-tier">
...
<host id="...">
<secure-host-name>https://hogwarts.com</secure-host-name>
...
</resin>
Although extremely rare, it is sometimes useful to create a custom predicate (for example for encapsulating complex custom authorization logic). You can easily do this by extending com.caucho.rewrite.RequestPredicate. This essentially allows you to create your own <IfXXX> rule.
The following example demonstrates how to create a custom Resin predicate:
<web-app xmlns="http://caucho.com/ns/resin"
xmlns:resin="urn:java:com.caucho.resin"
xmlns:foo="urn:java:com.foo"
...
<resin:Allow url-pattern="/safe/*"
<foo:IfMyTest value="abcxyz"/>
</resin:Allow url-pattern="/safe/*"
...
</web-app>
package com.foo;
import javax.servlet.http.HttpServletRequest;
import com.caucho.security.ServletRequestPredicate;
public class IfMyTest extends ServletRequestPredicate {
private String value;
// Your custom attribute for the tag.
public void setValue(String value)
{
this.value = value;
}
// Here you must actually determine the match.
public boolean isMatch(HttpServletRequest request)
{
return value.equals(request.getHeader("Foo"));
}
}
| authentication method | ssl |
| Copyright © 1998-2011 Caucho Technology, Inc. All rights reserved. Resin ® is a registered trademark, and Quercustm, Ambertm, and Hessiantm are trademarks of Caucho Technology. |