resin authorization
child of web-app javadoc <resin:Allow>
The <resin:Allow> tag is used to secure a particular URL pattern. Because it is affirmative, it must always include a nested condition expressing an authorization constraint. All access attempts that do not satisfy the authorization rule are denied access. This tag is the most common type of top level authorization tag.
<web-app xmlns="http://caucho.com/ns/resin" xmlns:resin="urn:java:com.caucho.resin"> ... <resin:Allow url-pattern="/*"> <resin:IfUserInRole role="user"/> </resin:Allow> ... </web-app> javadoc <resin:Deny>
The <resin:Deny> tag is the opposite of the top level <resin:Allow>. It restricts access to a particular URL pattern based on any nested conditions. Access attempts that match the condition are denied access. If no conditions are specified, all access to a URL pattern is restricted.
<web-app xmlns="http://caucho.com/ns/resin" xmlns:resin="urn:java:com.caucho.resin"> ... <!-- protect all .properties files --> <resin:Deny url-pattern="*.properties"/> <!-- protect the config/ subdirectory --> <resin:Deny url-pattern="/config/*"/> ... </web-app> javadoc <resin:IfUserInRole>
The resin:IfUserInRole condition enforces role-based security. It requires that authenticated users have a specified role.
The following is an example of how <resin:IfUserInRole> might be used: <web-app xmlns="http://caucho.com/ns/resin" xmlns:resin="urn:java:com.caucho.resin"> ... <resin:Allow url-pattern="/webdav/*"> <resin:IfUserInRole role='webdav'/> </resin:Allow> ... </web-app> javadoc <resin:IfNetwork>
The <resin:IfNetwork> tag allows or denies requests based on the IP address of the client. IP-constraint is very useful for protecting administration resources to an internal network. It can also be useful for denying service to known problem IPs.
The <web-app xmlns="http://caucho.com/ns/resin" xmlns:resin="urn:java:com.caucho.resin"> ... <resin:Allow url-pattern="/admin/*"> <resin:IfNetwork value="192.168.17.0/24"/> </resin:Allow> ... </web-app> The following example shows how the tag can be used to construct an IP block list: <web-app xmlns="http://caucho.com/ns/resin" xmlns:resin="urn:java:com.caucho.resin"> ... <resin:Deny> <resin:IfNetwork> <resin:value>205.11.12.3</resin:value> <resin:value>213.43.62.45</resin:value> <resin:value>123.4.45.6</resin:value> <resin:value>233.15.25.35</resin:value> <resin:value>233.14.87.12</resin:value> </resin:IfNetwork> </resin:Deny> ... </web-app> Be careful with deny - some ISP's (like AOL) use proxies and the IP of many different users may appear to be the same IP to your server. If only javadoc <resin:IfSecure>
The <resin:IfSecure> tag restricts access to secure transports, usually SSL.
In the following example, all pages in the web application are enforced to be accessible via SSL only. <web-app xmlns="http://caucho.com/ns/resin" xmlns:resin="urn:java:com.caucho.resin" ... <resin:Allow> <resin:IfSecure/> </resin:Allow> ... </web-app> The default behaviour is for Resin to rewrite any URL that starts with "http:" by replacing the "http:" part with "https:", and then send a redirect to the browser because this configuration. If the default rewriting of the host is not appropriate, you can set the secure-host-name for the host: <resin xmlns="http://caucho.com/ns/resin"> <cluster id="app-tier"> ... <host id="..."> <secure-host-name>https://hogwarts.com</secure-host-name> ... </resin> Although extremely rare, it is sometimes useful to create a custom predicate (for example for encapsulating complex custom authorization logic). You can easily do this by extending com.caucho.rewrite.RequestPredicate. This essentially allows you to create your own <IfXXX> rule. The following example demonstrates how to create a custom Resin predicate: <web-app xmlns="http://caucho.com/ns/resin" xmlns:resin="urn:java:com.caucho.resin" xmlns:foo="urn:java:com.foo" ... <resin:Allow url-pattern="/safe/*" <foo:IfMyTest value="abcxyz"/> </resin:Allow url-pattern="/safe/*" ... </web-app> package com.foo; import javax.servlet.http.HttpServletRequest; import com.caucho.security.ServletRequestPredicate; public class IfMyTest extends ServletRequestPredicate { private String value; // Your custom attribute for the tag. public void setValue(String value) { this.value = value; } // Here you must actually determine the match. public boolean isMatch(HttpServletRequest request) { return value.equals(request.getHeader("Foo")); } }
|