Caucho maker of Resin Server | Application Server (Java EE Certified) and Web Server


 

Resin Documentation

home company blog docs 
app server 
 Resin Server | Application Server (Java EE Certified) and Web Server
 

resin authorization


<resin:Allow>

child of <web-app>

The <resin:Allow> tag is used to secure a particular URL pattern. Because it is affirmative, it must always include a nested condition expressing an authorization constraint. All access attempts that do not satisfy the authorization rule are denied access. This tag is the most common type of top level authorization tag.

<resin:Allow> Attributes
ATTRIBUTEDESCRIPTION
url-patternURL pattern describing the resource to be secured.
http-methodHTTP methods that the restriction applies to.
Protecting all pages for logged-in users
<web-app xmlns="http://caucho.com/ns/resin"
            xmlns:resin="urn:java:com.caucho.resin">
  ...
  <resin:Allow url-pattern="/*">
    <resin:IfUserInRole role="user"/>
  </resin:Allow>
  ...
</web-app>

<resin:Deny>

javadoc <resin:Deny>

The <resin:Deny> tag is the opposite of the top level <resin:Allow>. It restricts access to a particular URL pattern based on any nested conditions. Access attempts that match the condition are denied access. If no conditions are specified, all access to a URL pattern is restricted.

<resin:Deny> Attributes
ATTRIBUTEDESCRIPTION
url-patternURL pattern describing the resource to be secured.
http-methodHTTP methods that the restriction applies to.
Security-constraint to protect static files
<web-app xmlns="http://caucho.com/ns/resin"
            xmlns:resin="urn:java:com.caucho.resin">
  ...
  <!-- protect all .properties files -->
  <resin:Deny url-pattern="*.properties"/>

  <!-- protect the config/ subdirectory -->
  <resin:Deny url-pattern="/config/*"/>
  ...
</web-app>

<resin:IfUserInRole>

The <resin:IfUserInRole> condition enforces role-based security. It requires that authenticated users have a specified role.

<resin:IfUserInRole> Attributes
ATTRIBUTEDESCRIPTION
roleRoles which are allowed to access the resource.

The following is an example of how <resin:IfUserInRole> might be used:

WEB-INF/resin-web.xml Protecting WebDav for WebDav Users
<web-app xmlns="http://caucho.com/ns/resin"
            xmlns:resin="urn:java:com.caucho.resin">
  ...
  <resin:Allow url-pattern="/webdav/*">
    <resin:IfUserInRole role='webdav'/>
  </resin:Allow>
  ...  
</web-app>

<resin:IfNetwork>

The <resin:IfNetwork> tag allows or denies requests based on the IP address of the client. IP-constraint is very useful for protecting administration resources to an internal network. It can also be useful for denying service to known problem IPs.

<resin:IfNetwork> Attributes
ATTRIBUTEDESCRIPTIONDEFAULT
valueAn IP address to match (multiple allowed).N/A
cache-sizeThe size of the IP address LRU cache used for performance.256

The /24 in the IP 192.168.17.0/24 means that the first 24 bits of the IP are matched - any IP address that begins with 192.168.17. will match. The usage of /bits is optional.

Admin Pages Allowed Only from 192.168.17.0/24
<web-app xmlns="http://caucho.com/ns/resin"
            xmlns:resin="urn:java:com.caucho.resin">
  ...
  <resin:Allow url-pattern="/admin/*">
    <resin:IfNetwork value="192.168.17.0/24"/>
  </resin:Allow>
  ...
</web-app>

The following example shows how the tag can be used to construct an IP block list:

Block-out Known Trouble-Makers
<web-app xmlns="http://caucho.com/ns/resin"
            xmlns:resin="urn:java:com.caucho.resin">
  ...
  <resin:Deny>
    <resin:IfNetwork>
       <resin:value>205.11.12.3</resin:value>
       <resin:value>213.43.62.45</resin:value>
       <resin:value>123.4.45.6</resin:value>
       <resin:value>233.15.25.35</resin:value>
       <resin:value>233.14.87.12</resin:value>
    </resin:IfNetwork>
  </resin:Deny>
  ...
</web-app>

Be careful with deny - some ISP's (like AOL) use proxies and the IP of many different users may appear to be the same IP to your server.

If only deny is used, then all IPs are allowed if they do not match a deny. If only allow is used, then an IP is denied unless it matches an allow. If both are used, then the IP must match both an allow and a deny

<resin:IfSecure>

The <resin:IfSecure> tag restricts access to secure transports, usually SSL.

<resin:IfSecure> Attributes
ATTRIBUTEDESCRIPTIONDEFAULT
valueA boolean value against which HttpServletRequest.isSecure is matched.true

In the following example, all pages in the web application are enforced to be accessible via SSL only.

WEB-INF/resin-web.xml
<web-app xmlns="http://caucho.com/ns/resin"
            xmlns:resin="urn:java:com.caucho.resin"
  ...	 
  <resin:Allow>
    <resin:IfSecure/>
  </resin:Allow>
  ...  
</web-app>

The default behaviour is for Resin to rewrite any URL that starts with "http:" by replacing the "http:" part with "https:", and then send a redirect to the browser because this configuration.

If the default rewriting of the host is not appropriate, you can set the <secure-host-name> for the host:

WEB-INF/resin-web.xml
<resin xmlns="http://caucho.com/ns/resin">
<cluster id="app-tier">
  ...  
  <host id="...">
    <secure-host-name>https://hogwarts.com</secure-host-name>
    ...
</resin> 

ServletRequestPredicate

Although extremely rare, it is sometimes useful to create a custom predicate (for example for encapsulating complex custom authorization logic). You can easily do this by extending com.caucho.rewrite.RequestPredicate. This essentially allows you to create your own <IfXXX> rule.

The following example demonstrates how to create a custom Resin predicate:

WEB-INF/resin-web.xml - Custom rule
<web-app xmlns="http://caucho.com/ns/resin"
         xmlns:resin="urn:java:com.caucho.resin"
         xmlns:foo="urn:java:com.foo"
 ...
 <resin:Allow url-pattern="/safe/*"
    <foo:IfMyTest value="abcxyz"/>
 </resin:Allow url-pattern="/safe/*"
 ...
</web-app>
package com.foo;

import javax.servlet.http.HttpServletRequest;
import com.caucho.security.ServletRequestPredicate;

public class IfMyTest extends ServletRequestPredicate {
  private String value;

  // Your custom attribute for the tag.
  public void setValue(String value)
  {
    this.value = value;
  }

  // Here you must actually determine the match.
  public boolean isMatch(HttpServletRequest request)
  {
    return value.equals(request.getHeader("Foo"));
  }
}

Copyright © 1998-2015 Caucho Technology, Inc. All rights reserved. Resin ® is a registered trademark. Quercustm, and Hessiantm are trademarks of Caucho Technology.