Selects the authentication method.

basic	HTTP Basic authentication
form	Form-based authentication

Configures authentication for forms. The login form has specific parameters that the servlet engine's login form processing understands. If the login succeeds, the user will see the original page. If it fails, she will see the error page.

form-login-page	The page to be used to prompt the user login
form-error-page	The error page for unsuccessful login

The form itself must have the action j_security_check. It must also have the parameters j_username and j_password. Optionally, it can also have j_uri and j_use_cookie_auth. j_uri gives the next page to display when login succeeds. j_use_cookie_auth allows Resin to send a persistent cookie to the user to make following login easier.

j_security_check	The form's mandatory action
j_username	The user name
j_password	The password
j_uri	Optional Resin extension for the successful display page.
j_use_cookie_auth	Optional Resin extension to allow cookie login.

The following is an example of a servlet-standard login page:

<form action='j_security_check' method='POST'> <table> <tr><td>User:<td><input name='j_username'> <tr><td>Password:<td><input name='j_password'> <tr><td colspan=2>hint: the password is 'quidditch' <tr><td><input type=submit> </table> </form>

Specifies a class to authenticate users. This Resin-specific option lets you control your authentication. You can either create your own custom authenticator, or use Resin's JdbcAuthenticator.

Users wanting to implement an authenticator should look at the JavaDoc for Authenticator and AbstractAuthenticator. To protect your application from API changes, you should extend AbstractAuthenticator rather than implementing Authenticator directly.

The JdbcAuthenticator (com.caucho.server.http.JdbcAuthenticator), asks a backend database for the password matching the user's name. It uses the DataSource specified by the db-pool option, or caucho.db-pool by default. db-pool refers to a DataSource configured with resource-ref.

The following are the attributes for the JdbcAuthenticator:

db-pool	The database pool. Looks in the application attributes first, then in the global database pools.
password-query	A SQL query to get the user's password. The default query is given below.
cookie-auth-query	A SQL query to authenticate the user by a persistent cookie.
cookie-auth-update	A SQL update to match a persistent cookie to a user.
role-query	A SQL query to determine the user's role. By default, all users are in role "user", but no others.

<!-- Resin-specific JdbcAuthenticator --> <authenticator id='com.caucho.server.http.JdbcAuthenticator'>   <db-pool>test</db-pool>   <password-query>     SELECT password FROM LOGIN WHERE username=?   </password-query>   <cookie-auth-query>     SELECT username FROM LOGIN WHERE cookie=?   </cookie-auth-query>   <cookie-auth-update>     UPDATE LOGIN SET cookie=? WHERE username=?   </cookie-auth-update>   <role-query>     SELECT role FROM LOGIN WHERE username=?   </role-query> </authenticator>

Selects protected areas of the web site. Sites using authentication as an optional personalization feature will typically not use any security constraints.

<security-constraint>   <web-resource-collection>     <url-pattern>/*</url-pattern>   </web-resource-collection>   <auth-constraint role-name='user'> </security-constraint>

Specifies a collection os areas of the web site.

url-pattern	url patterns describing the resource
method	HTTP methods to be restricted.

Requires that authenticated users fill the specified role. In Resin's JdbcAuthenticator, normal users are in the "user" role. Think of a role as a group of users.

role-name

Roles which are allowed to access the resource.

Restricts access to secure transports, i.e. SSL

transport-guarantee

Required transport properties. NONE, INTEGRAL, and CONFIDENTIAL are allowed values.