<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE securityfilter-config PUBLIC
    "-//SecurityFilter.org//DTD Security Filter Configuration 2.0//EN"
    "http://www.securityfilter.org/dtd/securityfilter-config_2_0.dtd">

<securityfilter-config>

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>Secure Page</web-resource-name>
         <url-pattern>/admin/*.action</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>ADMIN</role-name>
      </auth-constraint>
   </security-constraint>

   <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
         <form-login-page>/login_input.action</form-login-page>
         <form-error-page>/loginError.jsp</form-error-page>
         <form-default-page>/index.jsp</form-default-page>
         <!-- logout page definition is important for persistent logins -->
         <form-logout-page>/logout.jsp</form-logout-page>
         <!-- remember-me config -->
         <remember-me className="org.securityfilter.authenticator.persistent.DefaultPersistentLoginManager">
            <!-- optional settings for default persistent login manager -->
            <remember-me-param name="cookieLife" value="15"/>
            <remember-me-param name="protection" value="all"/>
            <remember-me-param name="useIP" value="true"/>
            <remember-me-param name="encryptionAlgorithm" value="DES"/>
            <remember-me-param name="encryptionMode" value="ECB"/>
            <remember-me-param name="encryptionPadding" value="PKCS5Padding"/>
            <!-- encryption keys; customize for each application -->
            <!-- NOTE: these kys must be speciied AFTER other encryption settings -->
            <remember-me-param name="validationKey" value="347382902489402489754895734890347"/>
            <remember-me-param name="encryptionKey" value="347892347028490237487846240673842"/>
         </remember-me>
      </form-login-config>
   </login-config>

   <realm className="gecs.mes.security.SecurityRealm">

   </realm>

</securityfilter-config>

參數解析
cookieLife (optional) specifies the number of days that you wish to keep the login cookie.  The default if not specified is 15 days)
protection (optional) specifies the type of protection you want for the persisted cookie.  Valid values are: all, validation, encryption, none.  The default is not specified is all.

validationkey (required if protection is all or validation) specifies a key that is combined with the actual cookie data and then used to generate a MD5 hash value.  This hash value is stored with the cookie and then is later used to determine if the cookie has been tampered with.

useIP (optional) (valid only when protection is all or validation) specifies if the clients IP address
is to be used when calculating the validation hash.  Provides extra protection against someone moving a cookie from one machine to another.

encryptionAlgorithm (optional) (valid only when protection is all or encryption)  specifies the encryption algorithm to use when encrypting the cookie values.  The default if not specified is DES.

encryptionMode (optional) (valid only when protection is all or encryption)  specifies the encryption mode to use when encrypting the cookie values.  The default if not specified is ECB.

encryptionPadding (optional) (valid only when protection is all or encryption)  specifies the encryption padding to use when encrypting the cookie values.  The default if not specified is PKCS5Padding.

encryptionkey (required if protection is all or encryption) specifies a key that is used to encrypt and decrypt cookie values.  Should NOT appear before the other encryption* parameters (if specified) in the securityfilter-config.xml file.

IMPORTANT!

A couple of points about this encryption implementation.

- This implementation makes use of the Sun Java Cryptography Extension
(JCE).  The JCE comes as a part of the standard download for Java 1.4  BUT, it?s an optional (separate) download for Java 1.3 and earlier.  If a user is using Java 1.3 or earlier and they want to use the encryption feature then they must download and install (per Sun?s instructions) the Java Cryptography Extension from the Sun website (http://java.sun.com/products/archive/jce/1.2/)

- The default "provider" that comes with JCE is the SunJCE provider.  The SunJCE provider supports the DES, Triple DES, and the Blowfish encryption algorithms.  I have tested this implementation ONLY with the DES algorithm.  I suspect that there may need to be some coding tweaks to get the this implementation to work with other algorithms but I have not yet tried them.
- Other, third-party, JCE providers can be used instead of the SunJCE provider.  See Sun?s website for a complete list of known third-party providers and for instructions on how to change the JCE default provider.

- The standard JCE provides for "strong" encryption.  "Unlimited" encryption is available as a separate download from Sun?s site.  There are some export restrictions on the "unlimited" encryption so if a user chooses to use it they need to understand and adhere to those restrictions.  See Sun?s website for complete details.