Caucho Technology

resin authorization


<resin:Allow>

child of web-app

The <resin:Allow> tag is used to secure a particular URL pattern. Because it is affirmative, it must always include a nested condition expressing an authorization constraint. All access attempts that do not satisfy the authorization rule are denied access. This tag is the most common type of top level authorization tag.

<resin:Allow> Attributes
ATTRIBUTEDESCRIPTION
url-patternURL pattern describing the resource to be secured.
http-methodHTTP methods that the restriction applies to.
Protecting all pages for logged-in users
<web-app xmlns="http://caucho.com/ns/resin"
            xmlns:resin="urn:java:com.caucho.resin">
  ...
  <resin:Allow url-pattern="/*">
    <resin:IfUserInRole role="user"/>
  </resin:Allow>
  ...
</web-app>

<resin:Deny>

javadoc <resin:Deny>

The <resin:Deny> tag is the opposite of the top level <resin:Allow>. It restricts access to a particular URL pattern based on any nested conditions. Access attempts that match the condition are denied access. If no conditions are specified, all access to a URL pattern is restricted.

<resin:Deny> Attributes
ATTRIBUTEDESCRIPTION
url-patternURL pattern describing the resource to be secured.
http-methodHTTP methods that the restriction applies to.
Security-constraint to protect static files
<web-app xmlns="http://caucho.com/ns/resin"
            xmlns:resin="urn:java:com.caucho.resin">
  ...
  <!-- protect all .properties files -->
  <resin:Deny url-pattern="*.properties"/>

  <!-- protect the config/ subdirectory -->
  <resin:Deny url-pattern="/config/*"/>
  ...
</web-app>

<resin:IfUserInRole>

Theresin:IfUserInRolecondition enforces role-based security. It requires that authenticated users have a specified role.

<resin:IfUserInRole> Attributes
ATTRIBUTEDESCRIPTION
roleRoles which are allowed to access the resource.

The following is an example of how <resin:IfUserInRole> might be used:

WEB-INF/resin-web.xml Protecting WebDav for WebDav Users
<web-app xmlns="http://caucho.com/ns/resin"
            xmlns:resin="urn:java:com.caucho.resin">
  ...
  <resin:Allow url-pattern="/webdav/*">
    <resin:IfUserInRole role='webdav'/>
  </resin:Allow>
  ...  
</web-app>

<resin:IfNetwork>

The <resin:IfNetwork> tag allows or denies requests based on the IP address of the client. IP-constraint is very useful for protecting administration resources to an internal network. It can also be useful for denying service to known problem IPs.

<resin:IfNetwork> Attributes
ATTRIBUTEDESCRIPTIONDEFAULT
valueAn IP address to match (multiple allowed).N/A
cache-sizeThe size of the IP address LRU cache used for performance.256

The/24in the IP192.168.17.0/24means that the first 24 bits of the IP are matched - any IP address that begins with192.168.17.will match. The usage of/bitsis optional.

Admin Pages Allowed Only from 192.168.17.0/24
<web-app xmlns="http://caucho.com/ns/resin"
            xmlns:resin="urn:java:com.caucho.resin">
  ...
  <resin:Allow url-pattern="/admin/*">
    <resin:IfNetwork value="192.168.17.0/24"/>
  </resin:Allow>
  ...
</web-app>

The following example shows how the tag can be used to construct an IP block list:

Block-out Known Trouble-Makers
<web-app xmlns="http://caucho.com/ns/resin"
            xmlns:resin="urn:java:com.caucho.resin">
  ...
  <resin:Deny>
    <resin:IfNetwork>
       <resin:value>205.11.12.3</resin:value>
       <resin:value>213.43.62.45</resin:value>
       <resin:value>123.4.45.6</resin:value>
       <resin:value>233.15.25.35</resin:value>
       <resin:value>233.14.87.12</resin:value>
    </resin:IfNetwork>
  </resin:Deny>
  ...
</web-app>

Be careful with deny - some ISP's (like AOL) use proxies and the IP of many different users may appear to be the same IP to your server.

If onlydenyis used, then all IPs are allowed if they do not match adeny. If onlyallowis used, then an IP is denied unless it matches anallow. If both are used, then the IP must match both anallowand adeny

<resin:IfSecure>

The <resin:IfSecure> tag restricts access to secure transports, usually SSL.

<resin:IfSecure> Attributes
ATTRIBUTEDESCRIPTIONDEFAULT
valueA boolean value against which HttpServletRequest.isSecure is matched.true

In the following example, all pages in the web application are enforced to be accessible via SSL only.

WEB-INF/resin-web.xml
<web-app xmlns="http://caucho.com/ns/resin"
            xmlns:resin="urn:java:com.caucho.resin"
  ...	 
  <resin:Allow>
    <resin:IfSecure/>
  </resin:Allow>
  ...  
</web-app>

The default behaviour is for Resin to rewrite any URL that starts with "http:" by replacing the "http:" part with "https:", and then send a redirect to the browser because this configuration.

If the default rewriting of the host is not appropriate, you can set thesecure-host-namefor the host:

WEB-INF/resin-web.xml
<resin xmlns="http://caucho.com/ns/resin">
<cluster id="app-tier">
  ...  
  <host id="...">
    <secure-host-name>https://hogwarts.com</secure-host-name>
    ...
</resin> 

ServletRequestPredicate

Although extremely rare, it is sometimes useful to create a custom predicate (for example for encapsulating complex custom authorization logic). You can easily do this by extendingcom.caucho.rewrite.RequestPredicate. This essentially allows you to create your own <IfXXX> rule.

The following example demonstrates how to create a custom Resin predicate:

WEB-INF/resin-web.xml - Custom rule
<web-app xmlns="http://caucho.com/ns/resin"
         xmlns:resin="urn:java:com.caucho.resin"
         xmlns:foo="urn:java:com.foo"
 ...
 <resin:Allow url-pattern="/safe/*"
    <foo:IfMyTest value="abcxyz"/>
 </resin:Allow url-pattern="/safe/*"
 ...
</web-app>
package com.foo;

import javax.servlet.http.HttpServletRequest;
import com.caucho.security.ServletRequestPredicate;

public class IfMyTest extends ServletRequestPredicate {
  private String value;

  // Your custom attribute for the tag.
  public void setValue(String value)
  {
    this.value = value;
  }

  // Here you must actually determine the match.
  public boolean isMatch(HttpServletRequest request)
  {
    return value.equals(request.getHeader("Foo"));
  }
}

Copyright © 1998-2011 Caucho Technology, Inc. All rights reserved.
Resin ® is a registered trademark, and Quercustm, Ambertm, and Hessiantm are trademarks of Caucho Technology.