[Yanel-dev] Auto Login

Michael Wechner michael.wechner at wyona.com
Tue Jul 5 16:14:51 CEST 2011


Hi Balz

I have applied your latest patch re auto login which you have sent to me 
offlist), but receive the following error:

71951 2011-07-05 16:11:53,785 +0200 [http-8080-Processor22] WARN  
org.wyona.yanel.servlet.YanelServlet.doAccessControl():1122  - Access 
denied: 
http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on 
(Path of request: /en/index.html; Identity: User ID: WORLD - Groups: ; 
Usecase: toolbar)
71951 2011-07-05 16:11:53,785 +0200 [http-8080-Processor22] WARN  
org.wyona.yanel.servlet.YanelServlet.doAccessControl():1152  - SSL does 
not seem to be configured!
71981 2011-07-05 16:11:53,815 +0200 [http-8080-Processor22] WARN  
org.wyona.security.impl.yarep.YarepUserManager.getTrueId():503  - No 
alias found for id 'lenya', hence return id as true ID
72028 2011-07-05 16:11:53,862 +0200 [http-8080-Processor22] WARN  
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.authenticate():680  
- Authentication was successful for user: lenya
72030 2011-07-05 16:11:53,864 +0200 [http-8080-Processor22] WARN  
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.authenticate():681  
- TODO: Add user to session listener!
72030 2011-07-05 16:11:53,864 +0200 [http-8080-Processor22] WARN  
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAutoLogin():610  
- TODO: Implement auto-login
72031 2011-07-05 16:11:53,865 +0200 [http-8080-Processor22] FATAL 
org.wyona.yanel.servlet.security.impl.AutoLogin.enableAutoLogin():66  - 
Could not enable Auto Login feature! Exception: 
java.lang.NullPointerException
java.lang.NullPointerException
     at 
org.wyona.yanel.servlet.security.impl.AutoLogin.setNewCookie(AutoLogin.java:130)
     at 
org.wyona.yanel.servlet.security.impl.AutoLogin.enableAutoLogin(AutoLogin.java:62)
     at 
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAutoLogin(DefaultWebAuthenticatorImpl.java:613)
     at 
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAuthenticate(DefaultWebAuthenticatorImpl.java:106)
     at 
org.wyona.yanel.servlet.YanelServlet.doAuthenticate(YanelServlet.java:1393)
     at 
org.wyona.yanel.servlet.YanelServlet.doAccessControl(YanelServlet.java:1158)
     at org.wyona.yanel.servlet.YanelServlet.service(YanelServlet.java:253)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
     at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
     at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at 
org.wyona.yanel.servlet.communication.YanelFilter.doFilter(YanelFilter.java:37)
     at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
     at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
     at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
     at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
     at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
     at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
     at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
     at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
     at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
     at 
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
     at 
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
     at 
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
     at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
     at java.lang.Thread.run(Thread.java:680)
72032 2011-07-05 16:11:53,866 +0200 [http-8080-Processor22] WARN  
org.wyona.yanel.servlet.YanelServlet.doAccessControl():1178  - 
Authentication was successful for user: lenya
72032 2011-07-05 16:11:53,866 +0200 [http-8080-Processor22] WARN  
org.wyona.yanel.servlet.YanelServlet.doAccessControl():1187  - Redirect 
to original request: 
http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on

Can you send me another version or maybe we can have a look at it 
together tomorrow morning?

WDYT?

Thanks

Michael

Am 17.05.11 16:15, schrieb basZero:
> Hi Michael,
>
> can you verify this patch for the AutoLogin class?
> If it is ok, you can submit it.
> How do we proceed?
>
> I have implemented the AutoLogin call after successful login, so the 
> rest must be done in the YanelServlet and the Authenticator.
>
> Cheers
> Balz
>
> On Tue, May 17, 2011 at 11:34 AM, Michael Wechner 
> <michael.wechner at wyona.com <mailto:michael.wechner at wyona.com>> wrote:
>
>     Hi Balz
>
>     As we have discussed offline I have now added the relevant calls
>     and utility class:
>
>     src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java
>
>
>     src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
>     src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java
>
>     whereas just as the class DefaultWebAuthenticatorImpl is using the
>     utility class AutoLogin,
>     you can use this utility class within your custom code and as long
>     as you don't pass the form parameter "auto-login" (e.g. used by
>     src/webapp/xslt/login-screen.xsl) the DefaultWebAuthenticatorImpl
>     will ignore it.
>
>     The code does not do much yet and the AutoLogin class methods
>     needs to be refined (in particular the setCookie(...) method), but
>     maybe you can test if this integrates well with your custom code
>     and if so,
>     then I think it should be generic enough and easy integratable.
>
>     Let me know and the we can start the actual implementation.
>
>     Thanks
>
>     Michael
>
>
>     On 5/17/11 8:15 AM, basZero wrote:
>>     Hi Michael,
>>     I think it is not a good idea to store the token in the user
>>     profile. Read my consolidated thoughts about the auto-login:
>>
>>     - In order
>>     to give a realm flexibility on HOW the autologin gets
>>     implemented, I would suggest that you can configure (per
>>     realm) an AutoLoginService (e.g. in the realms.xml) which
>>     gets called by the YanelServlet. This way you don't have to
>>     worry about all the details now (what to store where and
>>     how, etc.) because these are then up to the realm's
>>     implementation (if it wants to use Auto-Login).
>>
>>     - Given this design you can later introduce a
>>     DefaultAutoLoginServiceImpl class which a realm can use if
>>     they are happy with how that implementation does handle the
>>     autologin.
>>     - The AutoLoginService gets called by the YanelServlet for EACH request that is NOT BOUND to any session yet (so that equals to the first request per session).
>>     - So the AutoLoginServive would get the Yanel Environment object (via that it has access to request, response, session, etc., -->  the session must be created before the AutoLoginService gets called, it might want to store values in it).
>>     - In general I think we need to extend the DefaultAuthenticatorImpl in Yanel so that you can "login" the user by just providing the username.
>>     My points regarding the AutoLoginService:
>>     - Define NEW COOKIE (e.g. YANEL_AUTOLOGIN, it contains userID and a TOKEN)
>>     - Verify that the user is really not logged in yet. If logged in -->  return.
>>     - The TOKEN must be found VERY QUICKLY, we can not go through 10'000 user profiles and look for the token -->  Either store it as a seperate XML (data/autologin/<tokenid>.xml , or we save in a separate index (at Zwischengas we use an internal index for that already, separated from the actual content data)
>>     - In the TOKEN DATA file (retrieved from token XML or Index), we get the userid for this token. It must match the userid provided from the COOKIE.
>>     - If it matches and the token has not yet expired, we do the login for this user WITHOUT password.
>>     I currently wonder whether we really have to renew the TOKEN in the Autologin-Cookie, we could also keep it (like the Yanel-Cookie). What do you think?
>>     Cheers
>>     Balz
>>
>>     On Tue, May 17, 2011 at 7:31 AM, <baszero at gmail.com
>>     <mailto:baszero at gmail.com>> wrote:
>>
>>         hi michael
>>
>>         i would rather store it in the user profile xml and not in
>>         the meta property.
>>
>>         cheers
>>
>>
>>         _____________________
>>         CTO / Zwischengas AG
>>         www.zwischengas.com <http://www.zwischengas.com>
>>
>>         Sent via iPhone
>>
>>         On 16.05.2011, at 23:04, Michael Wechner
>>         <michael.wechner at wyona.com
>>         <mailto:michael.wechner at wyona.com>> wrote:
>>
>>>         Hi Balz
>>>
>>>         On 5/16/11 5:06 PM, basZero wrote:
>>>>         Hi Michael,
>>>>
>>>>         as just discussed, what I meant by "auto-login" is not just
>>>>         pre-filling the username field in the login form.
>>>
>>>         sorry, right, I misunderstood
>>>>         By "auto-login", I mean the following:
>>>>
>>>>         - the user accesses ANY page within my realm
>>>>         - at every request it is verified whether the user is
>>>>         logged in (means: getIdentity() != null ?)
>>>>         - if there is no identity available, the request is checked
>>>>         for the autologin cookie
>>>>         - if there is no autologin cookie, proceed as usual (= user
>>>>         remains anonymous)
>>>>         - if there IS an autologin cookie, the user gets
>>>>         authenticated automatically (without seeing any form or the
>>>>         need of pressing a submit button) and the user is logged in.
>>>
>>>         sounds good also from a peformance/scalability point of
>>>         view, except it's unclear to me where
>>>         we should save the tokens persistently and how to clean them
>>>         if they have expired.
>>>
>>>         I guess we could save them together with the user profile, e.g.
>>>
>>>         getRealm().getIdentityManager().getUserManager().getUser("baszero").setProperty("autologin-token",
>>>         TOKEN-ID);
>>>
>>>         WDYT?
>>>
>>>         Thanks
>>>
>>>         Michael
>>>
>>>>
>>>>         *Implementation:*
>>>>         The standard way of how this usually gets implemented is as
>>>>         follows:
>>>>         - The cookie contains USERID, TOKEN
>>>>         - After every successful authentication, a new TOKEN gets
>>>>         created and stored in the COOKIE (for the next time). The
>>>>         realm also stores the new token for this user (so that it
>>>>         can be verified the next time).
>>>>         - How to do the authentication: the token from the cookie
>>>>         must match the last stored token for this user. if it
>>>>         matches, the user gets logged in without the need of the
>>>>         password.
>>>>
>>>>         A normal side effect of this implementation is:
>>>>         - if the user uses a web browser and for instance an iPad,
>>>>         every time he switches the device, the token obviously does
>>>>         not match anymore and he has to login by the usual login
>>>>         form where he enters username and password (and where he
>>>>         can checkbox the autologin feature again).
>>>>
>>>>         *Next steps for Yanel:*
>>>>         It would be great if this functionality could be plugged
>>>>         into the request pipeline of Yanel.
>>>>         An alternative is to write a Request Pipeline Filter for
>>>>         TOMCAT so that the request goes through that servlet each time.
>>>>
>>>>         What do you propose?
>>>>
>>>>         Cheers
>>>>         Balz
>>>>
>>>>
>>>>         On Mon, May 16, 2011 at 4:48 PM, Michael Wechner
>>>>         <michael.wechner at wyona.com
>>>>         <mailto:michael.wechner at wyona.com>> wrote:
>>>>
>>>>             Hi Balz
>>>>
>>>>
>>>>             On 5/16/11 4:09 PM, basZero wrote:
>>>>
>>>>                 Hi Michael,
>>>>
>>>>                 you once mentioned that Yanel comes out of the box
>>>>                 with an auto login feature?
>>>>                 Can you point me to the source code? I didn't find it.
>>>>
>>>>
>>>>             Have a look at
>>>>
>>>>             src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
>>>>
>>>>             and search for
>>>>
>>>>             remember-my-login-name
>>>>
>>>>             (also see rememberLoginNameCookie.setMaxAge(86400); //
>>>>             1 day is 86400 seconds)
>>>>
>>>>             (also see src/webapp/xslt/login-screen.xsl)
>>>>
>>>>             HTH
>>>>
>>>>             Michael
>>>>
>>>>
>>>>                 I just want to see how it is done.
>>>>
>>>>                 Cheers
>>>>                 Balz
>>>>
>>>>
>>>>             -- 
>>>>             Yanel-development mailing list
>>>>             Yanel-development at wyona.com
>>>>             <mailto:Yanel-development at wyona.com>
>>>>             http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>>>
>>>>
>>>
>>>         -- 
>>>         Yanel-development mailing list Yanel-development at wyona.com
>>>         <mailto:Yanel-development at wyona.com>
>>>         http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>
>>
>
>
>     --
>     Yanel-development mailing list Yanel-development at wyona.com
>     <mailto:Yanel-development at wyona.com>
>     http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wyona.org/pipermail/yanel-development/attachments/20110705/3dc259af/attachment-0001.html>


More information about the Yanel-development mailing list