PDA

View Full Version : URL exclusion using XmlAuthenticator


theBlueSage
04-12-2011, 08:31 PM
Hi

I have a full production site using resin, and a stage site that needs to be open to the public as well. However I want to have an HTTP-Auth basic login prompt when anyone goes to the site so only my QA people can see it. This I achieved with XmlAuthenticator in the resin.xml doc.
However my stage environment is across 3 servers and they are load balanced. the LB needs to access /lb.jsp without hitting the login request. I cant seem to find the right combination that would encompass:

<resin:Allow> url="/lb.jsp"</resin:Allow>
<resin:Authenticate url="everythingelse">

Is this actually possible?

thanks for any tips of suggestions!

reza
04-13-2011, 03:03 PM
theBlueSage,

How about something like this:

<resin:Allow url-pattern="[your URL]">
<resin:Or>
<resin:IfUserInRole role="[your user role]"/>
<resin:IfNetwork value="[your load balancer IP]"/>
</resin:Or>
</resin:Allow>

More details here: http://caucho.com/resin-4.0/admin/security.xtp.

Thanks,
Reza

theBlueSage
04-29-2011, 05:13 PM
Hi, thanks for your reply and sorry it took me so long to get to it. I tried the following, but the auth prompt comes up regardless. I was hoping that the auth request would only appear IF the access is from outside the network .... however the auth prompt appears regardless of network.



<resin:Allow url-pattern="/*">
<resin:Or>
<resin:IfUserInRole role="user"/>
<resin:IfNetwork value="10.16.0.0/12"/>
<resin:IfNetwork value="192.168.0.0/16"/>
</resin:Or>
</resin:Allow>

<authenticator type="com.caucho.server.security.XmlAuthenticator">
<init>
<user>someUserName:somePassword:user</user>
<password-digest>none</password-digest>
</init>
</authenticator>
<login-config auth-method='basic'/>

alex
05-02-2011, 04:28 PM
Hi theBlueSage,

can you try with something like this:


<web-app xmlns="http://caucho.com/ns/resin"
xmlns:resin="urn:java:com.caucho.resin">
<session-config reuse-session-id="all"/>

<resin:XmlAuthenticator password-digest="none">
<user name="Aladdin" password="open sesame" role="user"/>
</resin:XmlAuthenticator>

<resin:BasicLogin/>

<resin:Allow url-pattern='/test.jsp'>
<resin:Or>
<resin:IfNetwork>
<value>192.168.117.80</value>
</resin:IfNetwork>

<resin:IfUserInRole role="user"/>
</resin:Or>

</resin:Allow>

</web-app>

note, ifNetwork preceding the ifUserInRole in the 'or'

thanks

reza
05-02-2011, 07:35 PM
theBlueSage,

What version are you using? I tried both your and Alex's example and both work for me on Resin 4.0.17 Pro?

Thanks,
Reza

theBlueSage
05-26-2011, 03:35 PM
Got it to work by putting the ifUserInRole below ifNetwork. Thanks for that one :)

<resin:Allow url-pattern="/*">
<resin:Or>
<resin:IfNetwork value="x.x.x.x"/>
<resin:IfNetwork value="127.0.0.1"/>
<resin:IfNetwork value="x.x.x.x/24"/>
<resin:IfNetwork value="q.a.x.c"/>
<resin:IfNetwork value="10.0.0.0/8"/>
<resin:IfUserInRole role="user"/>
</resin:Or>
</resin:Allow>
<authenticator type="com.caucho.server.security.XmlAuthenticator">
<init>
<user>mocospace:V645qki:user</user>
<password-digest>none</password-digest>
</init>
</authenticator>
<login-config auth-method='basic'/>

theBlueSage
05-26-2011, 05:02 PM
If I want to control different URL paths differently, is there anything wrong with the following approach?

<resin:Allow url-pattern="/public/files/*">
<resin:IfNetwork value="0/0"/>
</resin:Allow>
<resin:Allow url-pattern="/api/*">
<resin:IfNetwork value="0/0"/>
</resin:Allow>

<!-- and then trap everyone else -->
<resin:Allow url-pattern="/*">
<resin:Or>
<resin:IfNetwork value="127.0.0.1" />
<resin:IfNetwork value="192.168.0.0/16" />
<resin:IfNetwork value="10.0.0.0/8" />
<resin:IfUserInRole role="user" />
</resin:Or>
</resin:Allow>