Caucho Technology
  • resin 4.0
  • resin authorization


    <resin:Allow>

    child of web-app

    The <resin:Allow> tag is used to secure a particular URL pattern. Because it is affirmative, it must always include a nested condition expressing an authorization constraint. All access attempts that do not satisfy the authorization rule are denied access. This tag is the most common type of top level authorization tag.

    <resin:Allow> Attributes
    url-patternURL pattern describing the resource to be secured.
    http-methodHTTP methods that the restriction applies to.
    Protecting all pages for logged-in users
    <web-app xmlns="http://caucho.com/ns/resin"
                xmlns:resin="urn:java:com.caucho.resin">
      ...
      <resin:Allow url-pattern="/*">
        <resin:IfUserInRole role="user"/>
      </resin:Allow>
      ...
    </web-app>
    

    <resin:Deny>

    javadoc <resin:Deny>

    The <resin:Deny> tag is the opposite of the top level <resin:Allow>. It restricts access to a particular URL pattern based on any nested conditions. Access attempts that match the condition are denied access. If no conditions are specified, all access to a URL pattern is restricted.

    <resin:Deny> Attributes
    url-patternURL pattern describing the resource to be secured.
    http-methodHTTP methods that the restriction applies to.
    Security-constraint to protect static files
    <web-app xmlns="http://caucho.com/ns/resin"
                xmlns:resin="urn:java:com.caucho.resin">
      ...
      <!-- protect all .properties files -->
      <resin:Deny url-pattern="*.properties"/>
    
      <!-- protect the config/ subdirectory -->
      <resin:Deny url-pattern="/config/*"/>
      ...
    </web-app>
    

    <resin:IfUserInRole>

    The resin:IfUserInRole condition enforces role-based security. It requires that authenticated users have a specified role.

    <resin:IfUserInRole> Attributes
    ATTRIBUTEDESCRIPTION
    roleRoles which are allowed to access the resource.

    The following is an example of how <resin:IfUserInRole> might be used:

    WEB-INF/resin-web.xml Protecting WebDav for WebDav Users
    <web-app xmlns="http://caucho.com/ns/resin"
                xmlns:resin="urn:java:com.caucho.resin">
      ...
      <resin:Allow url-pattern="/webdav/*">
        <resin:IfUserInRole role='webdav'/>
      </resin:Allow>
      ...  
    </web-app>
    

    <resin:IfNetwork>

    The <resin:IfNetwork> tag allows or denies requests based on the IP address of the client. IP-constraint is very useful for protecting administration resources to an internal network. It can also be useful for denying service to known problem IPs.

    <resin:IfNetwork> Attributes
    ATTRIBUTEDESCRIPTIONDEFAULT
    valueAn IP address to match (multiple allowed).N/A
    cache-sizeThe size of the IP address LRU cache used for performance.256

    The /24 in the IP 192.168.17.0/24 means that the first 24 bits of the IP are matched - any IP address that begins with 192.168.17. will match. The usage of /bits is optional.

    Admin Pages Allowed Only from 192.168.17.0/24
    <web-app xmlns="http://caucho.com/ns/resin"
                xmlns:resin="urn:java:com.caucho.resin">
      ...
      <resin:Allow url-pattern="/admin/*">
        <resin:IfNetwork value="192.168.17.0/24"/>
      </resin:Allow>
      ...
    </web-app>
    

    The following example shows how the tag can be used to construct an IP block list:

    Block-out Known Trouble-Makers
    <web-app xmlns="http://caucho.com/ns/resin"
                xmlns:resin="urn:java:com.caucho.resin">
      ...
      <resin:Deny>
        <resin:IfNetwork>
           <resin:value>205.11.12.3</resin:value>
           <resin:value>213.43.62.45</resin:value>
           <resin:value>123.4.45.6</resin:value>
           <resin:value>233.15.25.35</resin:value>
           <resin:value>233.14.87.12</resin:value>
        </resin:IfNetwork>
      </resin:Deny>
      ...
    </web-app>
    

    Be careful with deny - some ISP's (like AOL) use proxies and the IP of many different users may appear to be the same IP to your server.

    If only deny is used, then all IPs are allowed if they do not match a deny. If only allow is used, then an IP is denied unless it matches an allow. If both are used, then the IP must match both an allow and a deny

    <resin:IfSecure>

    The <resin:IfSecure> tag restricts access to secure transports, usually SSL.

    <resin:IfSecure> Attributes
    ATTRIBUTEDESCRIPTIONDEFAULT
    valueA boolean value against which HttpServletRequest.isSecure is matched.true

    In the following example, all pages in the web application are enforced to be accessible via SSL only.

    WEB-INF/resin-web.xml
    <web-app xmlns="http://caucho.com/ns/resin"
                xmlns:resin="urn:java:com.caucho.resin"
      ...	 
      <resin:Allow>
        <resin:IfSecure/>
      </resin:Allow>
      ...  
    </web-app>
    

    The default behaviour is for Resin to rewrite any URL that starts with "http:" by replacing the "http:" part with "https:", and then send a redirect to the browser because this configuration.

    If the default rewriting of the host is not appropriate, you can set the secure-host-name for the host:

    WEB-INF/resin-web.xml
    <resin xmlns="http://caucho.com/ns/resin">
    <cluster id="app-tier">
      ...  
      <host id="...">
        <secure-host-name>https://hogwarts.com</secure-host-name>
        ...
    </resin> 
    

    ServletRequestPredicate

    Although extremely rare, it is sometimes useful to create a custom predicate (for example for encapsulating complex custom authorization logic). You can easily do this by extending com.caucho.rewrite.RequestPredicate. This essentially allows you to create your own <IfXXX> rule.

    The following example demonstrates how to create a custom Resin predicate:

    WEB-INF/resin-web.xml - Custom rule
    <web-app xmlns="http://caucho.com/ns/resin"
             xmlns:resin="urn:java:com.caucho.resin"
             xmlns:foo="urn:java:com.foo"
     ...
     <resin:Allow url-pattern="/safe/*"
        <foo:IfMyTest value="abcxyz"/>
     </resin:Allow url-pattern="/safe/*"
     ...
    </web-app>
    
    package com.foo;
    
    import javax.servlet.http.HttpServletRequest;
    import com.caucho.security.ServletRequestPredicate;
    
    public class IfMyTest extends ServletRequestPredicate {
      private String value;
    
      // Your custom attribute for the tag.
      public void setValue(String value)
      {
        this.value = value;
      }
    
      // Here you must actually determine the match.
      public boolean isMatch(HttpServletRequest request)
      {
        return value.equals(request.getHeader("Foo"));
      }
    }
    

    Copyright © 1998-2011 Caucho Technology, Inc. All rights reserved.
    Resin ® is a registered trademark, and Quercustm, Ambertm, and Hessiantm are trademarks of Caucho Technology.