[Yanel-dev] User Properties / IML

Oli Kessler ok at ncode.ch
Mon Oct 29 00:46:04 CET 2007 

>>
>> - account expiration
>
> I guess this should only be configurable by some "administrator",  
> right?
> Please note that Yanel doesn't have a dedicated administrator  
> account and this would rather be protected by some policy and  
> appropriate usecase.

Yes, access to this field must be granted to the administrator only.  
A suitable protection scheme must exists - can we borrow something  
from an existing usecase here?


>
>> - homepage (default page after login)
>
>
> if this not being set, how should the default be? It seems to me we  
> have to options:
>
> - the originally requested URL
> - a realm specific default page

Full ack. I'd prefer a solution with the following priorities for the  
initial reponse after successfull authentication, given the settings  
exist:
- user's home page
- realm's default page
- original request

This will allow for most scenarios. If the user can configure his  
homepage (and I'd very much support this), we can however not force a  
default page on the initial request as the user's setting overwrite  
the realm's configuration - is there a way to enable/disable such a  
feature in a realm-wide context?


>
>> - last login (date, to be written on successfull login)
>
>
> wouldn't it make sense to keep the whole history (also with  
> additional info, such as machine (whereas this might not make sense  
> behind a proxy ...)

If the repository permits it, why not? However, I see currently no  
usecase for an unlimited login history - my initial idea was just to  
inform the user about it on successfull login (like the info you get  
on a unix shell login).

Another usecase which would use similar data is account locking based  
on some number of failed logins - a limited history would be
enough (the locking threshold) but instead of successfull logins, all  
login attempts must be stored. My example below has mentioned this in  
the custom properties somewhat more primitive with a failed login count.

>
>>
>> Also, a facility to write application specific, custom properties  
>> to  the user object would be very helpful.
>>
>> We'd thus like to extend the current IML like this:
>>
>> <identity id="foo" xmlns="http://www.wyona.org/security/1.0">
>>   <name>Foo Account</name>
>>   <description>Bars</description>
>>   <email>foo at bar.com</email>
>>   <password type="md5">xxx</password>
>>
>>   <expire date="2007-12-24T00:00:00"/>
>>   <hompage>/en/topics/dashboard.html</homepage>
>>   <lastLogin date="2007-10-26T16:34:22"/>
>>
>>   <custom:properties xmlns:custom="http://www.foobar.com/yanel/  
>> security/1.0">
>>     <custom:locked>false</custom:lock>
>>     <custom:failedLogins>7</custom:failedLogins>
>>     <custom:welcomePage>/en/global/motd.html</custom:welcomePage>
>>   </custom:properties>
>> </identity>
>
>
> sounds good to me, whereas I guess it would make sense to implement  
> this within the API whereas a DOM would be returned.

Yes, a custom implementation can interpret the data in the DOM block.

Cheers,
-ok

--
ncode solutions gmbh
http://www.ncode.ch

tel +41 43 817 01 88
fax +41 43 817 02 88
Zurich / Switzerland

More information about the Yanel-development mailing list