- hessian
- quercus/php
- resin 3.0
- resin 3.1
- resin 4.0
-
- changes
- configuration
- examples
- installing
- overview
- starting
-
- guide: admin
- admin
- amber
- bam
- caching
- clustering
- comet
- database
- deployment
- ejb 3.0
- embedding
- filters
- ioc
- jsf
- jsp
- logging
- messaging
- quercus
- remoting
- security
- resources
- servlets
- third-party
- troubleshooting
- virtual host
- watchdog
- webapp
Authorization is used to mark sections and resources of a web site that have limited access. Constraints are used to indicate the criteria for access, typically the constraint is based on a user login, but it can also include such things as limiting access to clients from a certain ip address and requiring that a secure transport such as SSL is in use.
|
| | |||||||||||||||||||||||
|
Selects protected areas of the web site. Sites using authentication as an optional personalization feature will typically not use any security constraints. Sites using authentication to limit access to certain sections of the website to certain users will use security constraints. Security constraints can also be custom classes. Specifies a collection of areas of the web site. url-pattern | url patterns describing the resource
| http-method | HTTP methods to be restricted.
| Requires that authenticated users fill the specified role. In Resin's JdbcAuthenticator, normal users are in the "user" role. Think of a role as a group of users. role-name | Roles which are allowed to access the resource.
| Allow or deny requests based on the ip address of the client. ip-constraint is very useful for protecting administration resources to an internal network. It can also be useful for denying service to known problem ip's. The Be careful with deny - some ISP's (like AOL) use proxies and the ip of many different users may appear to be the same ip to your server. allow | add an ip address to allow | default is to allow all ip addresses
| deny | add an ip address to deny | default is to deny no ip addresses
| error-code | error code to send if request is denied | 403
| error-message | error message to send if request is denied | Forbidden IP Address
| cache-size | cache size, the result of applying rules for an ip is cached for subsequent requests | 256
| If only deny is used, then all ip's are allowed if they do not match
a Restricts access to secure transports, i.e. SSL. transport-guarantee | Required transport properties. NONE,
INTEGRAL, and CONFIDENTIAL are allowed values.
| Restricts access to secure transports, i.e. SSL. Defines a custom constraint. The custom constraint specifies a resin:type which extends . Bean-style initialization is used to initialize the constraint. Any custom security constraint is checked after any authentication (login) but before any filters or servlets are applied. The security constraint will return true if the request is allowed and false if it's forbidden. If the request is forbidden, it's the constraint's responsibility to use response.sendError() or to return an error page. The Sometimes it is necessary to protect files from being viewed by anyone, such as configuration files used in your code but not meant to be served to a browser. Place files in WEB-INF or a subdirectory of WEB-INF. Any files in WEB-INF or it's subdirectories will automatically be protected from viewing. Use a security constraint that requires a role that nobody will ever have. Use a simple servlet that returns a 403 error, which means "Forbidden". Resin provides the servlet which is useful for this: Or you could implement your own servlet:
Copyright (c) 1998-2009 Caucho Technology, Inc. All rights reserved. caucho® , resin® and quercus® are registered trademarks of Caucho Technology, Inc. |
- HOME |
- CONTACT US |
- DOCUMENTATION |
- SALES |
- WIKI
caucho® , resin® and quercus® are registered trademarks of Caucho Technology, Inc.