Authentication provides a method for a username and password combination to be provided by a user and then verified by the web server. By using Resin's Authenticator API for login support, applications can add security without writing an entire authentication library.

Resin provides a predefined XML authenticator for user and password lookup in an XML file, a database authenticator for lookup in a database using JDBC, an LDAP authenticator for LDAP and Active Directory servers, and a JAAS authenticator. If the predefined authentication methods are inadequate, Resin provides an API to write custom authentication code.

Digest passwords enable an application to avoid storing and even transmitting the password in a form that someone can read.

A digest of a cleartext password is calculated when it is passed through a one-way function that consistently produces another series of characters, digestPassword = digester(username + ":" + realm + ":" cleartextPassword). The function is "one-way" because the digestPassword cannot be used to reverse-engineer the original password.

Digest passwords can be used in two places: storage and transmission. Digest passwords in storage means that the password is stored in a digested form, for example in a database or in a file. Digest passwords in transmission means that the client (usually a web browser) creates the digest and submits the digest password to the web server.

Authorization is used to mark sections and resources of a web site that have limited access. Constraints are used to indicate the criteria for access, typically the constraint is based on a user login, but it can also include such things as limiting access to clients from a certain ip address and requiring that a secure transport such as SSL is in use.

SSL (Secure Sockets Layer) is a commonly-used protocol for managing the security of message transmission on the Internet. SSL in your web server provides support for the familiar https:// protocol.

In ISP environments, it's important that each user have restricted permissions to use the server. Normally, the web server will be run as a non-root user so the users can't read system files, but that user will still have read access. The use of RMI also requires a security manager.

Don't use a security manager if you're not in an ISP environment or using RMI. There's no need for it and the security manager does slow the server down somewhat.

Resin is a very mature product, and has not had any security reports in a long time. Here we discuss some common methods used to attack web servers, and how they are handled by Resin and how they apply to your applications.

A repository of notes and comments that will eventually make their way into the documentation. Please treat the information here with caution, it has often not been verified.