[Yanel-dev] User Properties / IML

Michael Wechner michael.wechner at wyona.com
Mon Oct 29 15:24:40 CET 2007 

Oli Kessler wrote:

>>>
>>> - account expiration
>>
>>
>> I guess this should only be configurable by some "administrator",  
>> right?
>> Please note that Yanel doesn't have a dedicated administrator  
>> account and this would rather be protected by some policy and  
>> appropriate usecase.
>
>
> Yes, access to this field must be granted to the administrator only.  
> A suitable protection scheme must exists - can we borrow something  
> from an existing usecase here?


maybe we can extend the yanel-user resource somehow resp. somehow use 
the usecases framework by Josias by introducing a usecase 
"edit-expire-date".

It also means we should extend the security API

Date User.getExpireDate()
void User.setExpireDate(Date date)

ok?

>
>
>>
>>> - homepage (default page after login)
>>
>>
>>
>> if this not being set, how should the default be? It seems to me we  
>> have to options:
>>
>> - the originally requested URL
>> - a realm specific default page
>
>
> Full ack. I'd prefer a solution with the following priorities for the  
> initial reponse after successfull authentication, given the settings  
> exist:
> - user's home page


I guess this means we need to enhance the Realm API (and not the user, 
because the security has no clue about Realms)


String Realm.getHomepage(User user)
void Realm.setHomepage(User user, String homepage)

> - realm's default page
> - original request
>
> This will allow for most scenarios. If the user can configure his  
> homepage (and I'd very much support this), we can however not force a  
> default page on the initial request as the user's setting overwrite  
> the realm's configuration - is there a way to enable/disable such a  
> feature in a realm-wide context?


you mean like a welcome page (?), but doesn't that mean the realm's 
default page is actually obsolete?

If we want to implement a welcome page which can be personalized, then I 
guess we should also enhance the Realm API


String Realm.getWelcomePage(User user)
void Realm.setWelcomePage(User user, String welcomePage)

and for realm-wide resp. aggregration of "global" with personalized we 
would need

String Realm.getWelcomePage()
void Realm.setWelcomePage(String welcomePage)

but I am note sure if this makes re sense  aggregation (XHTML snippets, 
images pathes, ...)

Another possibility is to move this into the custom config (see below)

>
>
>>
>>> - last login (date, to be written on successfull login)
>>
>>
>>
>> wouldn't it make sense to keep the whole history (also with  
>> additional info, such as machine (whereas this might not make sense  
>> behind a proxy ...)
>
>
> If the repository permits it, why not? However, I see currently no  
> usecase for an unlimited login history - my initial idea was just to  
> inform the user about it on successfull login (like the info you get  
> on a unix shell login).


ok, so let's drop it for the moment ;-) We can always enhance, hopefully :-)

I think it's important to note, that this also rather belongs to a 
realm, than to the user (I mean API wise)

>
> Another usecase which would use similar data is account locking based  
> on some number of failed logins - a limited history would be
> enough (the locking threshold) but instead of successfull logins, all  
> login attempts must be stored. My example below has mentioned this in  
> the custom properties somewhat more primitive with a failed login count.
>
>>
>>>
>>> Also, a facility to write application specific, custom properties  
>>> to  the user object would be very helpful.
>>>
>>> We'd thus like to extend the current IML like this:
>>>
>>> <identity id="foo" xmlns="http://www.wyona.org/security/1.0">
>>>   <name>Foo Account</name>
>>>   <description>Bars</description>
>>>   <email>foo at bar.com</email>
>>>   <password type="md5">xxx</password>
>>>
>>>   <expire date="2007-12-24T00:00:00"/>
>>>   <hompage>/en/topics/dashboard.html</homepage>
>>>   <lastLogin date="2007-10-26T16:34:22"/>
>>>
>>>   <custom:properties xmlns:custom="http://www.foobar.com/yanel/  
>>> security/1.0">
>>>     <custom:locked>false</custom:lock>
>>>     <custom:failedLogins>7</custom:failedLogins>
>>>     <custom:welcomePage>/en/global/motd.html</custom:welcomePage>
>>>   </custom:properties>
>>> </identity>
>>
>>
>>
>> sounds good to me, whereas I guess it would make sense to implement  
>> this within the API whereas a DOM would be returned.
>
>
> Yes, a custom implementation can interpret the data in the DOM block.


so the API would like


Document User.getCustomConfiguration()
void User.setCustomConfiguration(Document config)

WDYT?

Michi

>
> Cheers,
> -ok
>
> -- 
> ncode solutions gmbh
> http://www.ncode.ch
>
> tel +41 43 817 01 88
> fax +41 43 817 02 88
> Zurich / Switzerland
>
>
> _______________________________________________
> Yanel-development mailing list
> Yanel-development at wyona.com
> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development



-- 
Michael Wechner
Wyona      -   Open Source Content Management - Yanel, Yulup
http://www.wyona.com
michael.wechner at wyona.com, michi at apache.org
+41 44 272 91 61

More information about the Yanel-development mailing list