resin login managers
The following are details on the login managers that can be used with Resin, along with example code to utilize as a starting point for your applications: child of web-app javadoc <resin:BasicLogin>
As the name implies, HTTP basic authentication is the simplest mechanism for gathering login data for web applications. When a web page is secured through HTTP basic authentication, the brower renders a simple dialog box for the user to enter login information. This information is then sent to the server in clear-text using well-defined HTTP headers. This authentication mechanism can be convenient for quick protection of internal pages or administration when writing a form isn't necessary. If you use basic authentication for applications outside the fire-wall, it is highly recommended that you secure the transport layer using SSL. The <resin:BasicLogin> tag is used to configure basic authentication. <web-app xmlns="http://caucho.com/ns/resin" xmlns:resin="urn:java:com.caucho.resin"> <resin:BasicLogin/> <resin:Allow url-pattern="/foo/*"> <resin:IfUserInRole role="user"/> </resin:Allow> <resin:XmlAuthenticator> ... </resin:XmlAuthenticator> </web-app> child of web-app javadoc <resin:DigestLogin>
The HTTP protocol includes a method to indicate to the client that it should digest the password before sending it to the server. This is basically a more secure variant of HTTP basic authentication. The browser submits a digest to Resin instead of submitting a clear-text password. HTTP digest authentication protects the password in transmission. When using the HTTP digest, Resin will respond to the browser when a secure URL is accessed and ask it to calculate a digest. The steps involved are:
The advantage of this method is that the clear-text password is protected in transmission, it cannot be determined from the digest that is submitted by the client to the server. The <resin:DigestLogin> tag is used to configure digest login. <web-app xmlns="http://caucho.com/ns/resin" xmlns:resin="urn:java:com.caucho.resin"> ... <resin:DigestLogin/> ... </web-app> javadoc <resin:FormLogin>
Form-based login is the most common way collecting login information. Using this login mechanism, you can plug-in a custom login page with a form storing login information (usually two input text fields for user-name and password). This custom login page can then be used with the Resin security framework. This allows for a much more seamless login mechanism integrated closely with your application, especially in terms of look and feel. When a URL is secured via form based login, the custom login form page is used to collect authentication information. If authentication succeeds, the user is redirected to the originally requested page. Otherwise, the user is forwarded to an error page (that can also be configured). A login page can be anything that renders a valid login form such as HTML, Servlet, JSP or JSF. A valid login form must have the action . It must also have the parameters and holding the username and password. Optionally, it can also have and . gives the next page to display when login succeeds. If the form-uri-priority is set to true, the user will be forwarded to the page regardless of what the originally requested page was. If the attribute is set to false (the default), the page is only used when the originally requested page was the login page itself. allows Resin to send a persistent cookie to the client to make subsequent logins automatic. When is set, Resin will store a persistent cookie on the client's machine after authentication succeeds. On all subsequent access, Resin detects the persistent cookie and automatically logs the user in instead of prompting for authentication. This essentially lets you implement "remember me" functionality common in many web-sites. By default, the authentication only lasts for a single session and no persistent login cookie is sent to the client.The following table outlines all the login parameters recognized by Resin:
<web-app xmlns="http://caucho.com/ns/resin" xmlns:resin="urn:java:com.caucho.resin"> ... <resin:FormLogin form-login-page="/login.html" form-error-page="/login_failure.html"/> ... </web-app> <form action='j_security_check' method='POST'> <table> <tr><td>User:<td><input name='j_username'> <tr><td>Password:<td><input name='j_password'> <tr><td colspan=2>hint: the password is 'quidditch' <tr><td><input type=submit> </table> </form>
|