Authentication provides a method for a username and password combination to be provided by a user and then verified by the web server. By using Resin's Authenticator API for login support, applications can add security without writing an entire authentication library.

Resin provides a predefined XML authenticator for user and password lookup in an XML file and a database authenticator for lookup in a database using JDBC. If the predefined authentication methods are inadequate, Resin provides an API to write custom authentication code.

Index

auth-method	Selects the authentication method
authenticator	Specifies a class to authenticate users
form-login-config	Configures authentication for forms
login-config	Configures the login class

Quick Start

The easiest authenticator to understand is the XmlAuthenticator. It lets you put users and passwords directly in the configuration file. The following example uses "Basic" authentication for login. Basic authentication asks the browser to pop open a window prompting for a username and password. (Basic authentication is discouraged because it is not secure unless you use it with SSL, but it's the easiest example.) The only user defined here is "Harry Potter" and he has the password "quidditch". He also plays the "user" role.

Using the XmlAuthenticator

<web-app xmlns="http://caucho.com/ns/resin"> ... <authenticator type="com.caucho.server.security.XmlAuthenticator"> <init> <user>Harry Potter:quidditch:user</user> <password-digest>none</password-digest> </init> </authenticator> <login-config auth-method='basic'/> <security-constraint url-pattern='/users-only/*' role-name='user'/> ... </web-app>

In the above example, the <security-constraint> checks for authorization. Only users playing the "user" role can access the /users-only directory.

Another often used authenticator is the JdbcAuthenticator, which uses usernames, passwords, and roles stored in a database.

<web-app xmlns="http://caucho.com/ns/resin"> ... <!-- Resin-specific JdbcAuthenticator --> <authenticator type='com.caucho.server.security.JdbcAuthenticator'> <init> <data-source>test</data-source> <password-query> SELECT password FROM LOGIN WHERE username=? </password-query> <cookie-auth-query> SELECT username FROM LOGIN WHERE cookie=? </cookie-auth-query> <cookie-auth-update> UPDATE LOGIN SET cookie=? WHERE username=? </cookie-auth-update> <role-query> SELECT role FROM LOGIN WHERE username=? </role-query> </init> </authenticator> <login-config auth-method='basic'/> <security-constraint url-pattern='/users-only/*' role-name='user'/> ... </web-app>

Configuration

login-config

auth-method

form-login-config

authenticator

Resin 1.1

XmlAuthenticator

Resin 2.0.4

The XmlAuthenticator (com.caucho.serer.security.XmlAuthenticator), stores the authentication in either an xml file or in the configuration itself.

When configuring the XmlAuthenticator in the resin.conf (or web.xml), each user adds a new configured user. The value contains the username, password, and the roles the user plays.

XmlAuthenticator in resin.conf

<authenticator type="com.caucho.server.security.XmlAuthenticator"> <init> <user>Harry Potter:quidditch:user,gryffindor</user> <user>Draco Malfoy:pureblood:user,slytherin</user> <password-digest>none</password-digest> </init> </authenticator>

Because the plain text passwords in the example above are a serious security issue, most sites will use the password-digest attribute described below to protect the passwords.

attribute	meaning	default
user	specifies an allowed user. May be repeated.	none
password-digest	selects the signature method to protect the password	md5-base64
path	specifies a path to an XML file containing the users and passwords.	none
logout-on-session-timeout	If true, the user will be logged out when the session times out	true

The passwords can be specified in a separate *.xml file. The password file looks like:

password.xml

<authenticator> <user name='Harry Potter' password='quidditch' role='gryffindor'/> <user name='Draco Malfoy' password='pureblood' role='slytherin'/> </authenticator>

Sites should use password-digest to protect the passwords.

JdbcAuthenticator

Resin 2.0

The JdbcAuthenticator (class com.caucho.server.security.JdbcAuthenticator ) asks a backend database for the password matching the user's name. It uses the DataSource specified by the pool-name option, or the JNDI java:comp/env/jdbc/db-pool by default. pool-name refers to a DataSource configured with database .

The following are the attributes for the JdbcAuthenticator:

attribute	meaning	default
data-source	The database pool. Looks in the application attributes first, then in the global database pools.	none
password-query	A SQL query to get the user's password. The default query is given below.	see below
cookie-auth-query	A SQL query to authenticate the user by a persistent cookie.	none
cookie-auth-update	A SQL update to match a persistent cookie to a user.	none
role-query	A SQL query to determine the user's role. By default, all users are in role "user", but no others.	none
password-digest	Specifies the digest algorithm and format (Resin 2.0.4)	md5-base64
logout-on-session-timeout	If true, the user will be logged out when the session times out (Resin 2.0.6)	true

<web-app xmlns="http://caucho.com/ns/resin"> ... <!-- Resin-specific JdbcAuthenticator --> <authenticator type='com.caucho.server.security.JdbcAuthenticator'> <init> <data-source>test</data-source> <password-query> SELECT password FROM LOGIN WHERE username=? </password-query> <cookie-auth-query> SELECT username FROM LOGIN WHERE cookie=? </cookie-auth-query> <cookie-auth-update> UPDATE LOGIN SET cookie=? WHERE username=? </cookie-auth-update> <role-query> SELECT role FROM LOGIN WHERE username=? </role-query> </init> </authenticator> <login-config auth-method='basic'/> <security-constraint url-pattern='/users-only/*' role-name='user'/> ... </web-app>

AuthenticationList

3.0.9

AuthenticatorList (class com.caucho.server.security.AuthenticatorList ) is used to configure more than one authenticator in a list, each authenticator is tried in turn and if the authentication fails the next authenticator in the list is attempted.

<authenticator type="com.caucho.server.security.AuthenticatorList"> <init> <authenticator resin:type="com.caucho.server.security.XmlAuthenticator"> <user>admin:NIHlOSafJN2H7emQCkOQ2w==:user,admin</user> </authenticator> <authenticator resin:type='com.caucho.server.security.JdbcAuthenticator'> <data-source>jdbc/users</data-source> <password-query> SELECT password FROM LOGIN WHERE username=? </password-query> <cookie-auth-query> SELECT username FROM LOGIN WHERE cookie=? </cookie-auth-query> <cookie-auth-update> UPDATE LOGIN SET cookie=? WHERE username=? </cookie-auth-update> <role-query> SELECT role FROM LOGIN WHERE username=? </role-query> </authenticator> </init> </authenticator> <login-config auth-method='basic'/> <security-constraint url-pattern='/users/*' role-name='user'/> <security-constraint url-pattern='/admin/*' role-name='admin'/>

PasswordDigest

Resin 2.0.4

Resin has the capability of storing the digest of a password instead of the password itself. By using the password digest, the application can avoid storing the password in a form that someone can read.

Setting <password-digest> of any authenticator extending class com.caucho.server.security.AbstractAuthenticator will create a digest of the password. The password-digest has two parts: the digest algorithm and the encoding format. "MD5-base64" is a typical digest format, and is the default for the Resin authenticators..

The use of a password digest is more completely described in Digest Passwords .

Single Signon

Resin 3.0.0

"Single signon" refers to allowing for a single login for more than one context, for example, logging in to all web-apps in a server at once. You can implement single signon by configuring the authenticator in the proper environment: web-app, host, or server. The login will last for all the web-apps in that environment.

The authenticator is a resource which is shared across its environment . For example, to configure the XML authenticator for all web-apps in foo.com, you might configure as follows:

Single Signon for foo.com

<resin xmlns="http://caucho.com/ns/resin"> <server> <http port="8080"/> <host id="foo.com"> <root-directory>/opt/foo.com</root-directory> <authenticator type="com.caucho.server.security.XmlAuthenticator"> <init> <user>harry:uTOZTGaB6pooMDvqvl2LBu:user,gryffindor</user> <!-- password: pureblood --> <user>dmalfoy:yI2uN1l97Rv5E6mdRnDFDB:user,slytherin</user> </init> </authenticator> <web-app-deploy path="webapps"/> </host> </server> </resin>

Any .war in the webapps directory will share the same signon for the host. You will still need to implement a login-config for each web-app.

Custom Login

The Login is primarily responsible for extracting the credentials from the request (typically username and password) and passing those to the ServletAuthenticator.

The Servlet API calls the Login in two contexts: directly from ServletRequest.getUserPrincipal(), and during security checking. When called from the Servlet API, the login class can't change the response. In other words, if an application calls getUserPrincipal(), the Login class can't return a forbidden error page. When the servlet engine calls authenticate(), the login class can return an error page (or forward internally.)

Normally, Login implementations will defer the actual authentication to a ServletAuthenticator class. That way, both "basic" and "form" login can use the same JdbcAuthenticator. Some applications, like SSL client certificate login, may want to combine the Login and authentication into one class.

Login instances are configured through bean introspection. Adding a public setFoo(String foo) method will be configured with the following login-config:

<login-config type="test.CustomLogin"> <init> <foo>bar</bar> </init> </login-config>

Copyright © 1998-2005 Caucho Technology, Inc. All rights reserved. Resin® is a registered trademark, and HardCoretm and Quercustm are trademarks of Caucho Technology, Inc.