[Yanel-dev] Auto Login
Michael Wechner
michael.wechner at wyona.com
Tue Jul 5 16:14:51 CEST 2011
Hi Balz
I have applied your latest patch re auto login which you have sent to me
offlist), but receive the following error:
71951 2011-07-05 16:11:53,785 +0200 [http-8080-Processor22] WARN
org.wyona.yanel.servlet.YanelServlet.doAccessControl():1122 - Access
denied:
http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on
(Path of request: /en/index.html; Identity: User ID: WORLD - Groups: ;
Usecase: toolbar)
71951 2011-07-05 16:11:53,785 +0200 [http-8080-Processor22] WARN
org.wyona.yanel.servlet.YanelServlet.doAccessControl():1152 - SSL does
not seem to be configured!
71981 2011-07-05 16:11:53,815 +0200 [http-8080-Processor22] WARN
org.wyona.security.impl.yarep.YarepUserManager.getTrueId():503 - No
alias found for id 'lenya', hence return id as true ID
72028 2011-07-05 16:11:53,862 +0200 [http-8080-Processor22] WARN
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.authenticate():680
- Authentication was successful for user: lenya
72030 2011-07-05 16:11:53,864 +0200 [http-8080-Processor22] WARN
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.authenticate():681
- TODO: Add user to session listener!
72030 2011-07-05 16:11:53,864 +0200 [http-8080-Processor22] WARN
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAutoLogin():610
- TODO: Implement auto-login
72031 2011-07-05 16:11:53,865 +0200 [http-8080-Processor22] FATAL
org.wyona.yanel.servlet.security.impl.AutoLogin.enableAutoLogin():66 -
Could not enable Auto Login feature! Exception:
java.lang.NullPointerException
java.lang.NullPointerException
at
org.wyona.yanel.servlet.security.impl.AutoLogin.setNewCookie(AutoLogin.java:130)
at
org.wyona.yanel.servlet.security.impl.AutoLogin.enableAutoLogin(AutoLogin.java:62)
at
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAutoLogin(DefaultWebAuthenticatorImpl.java:613)
at
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAuthenticate(DefaultWebAuthenticatorImpl.java:106)
at
org.wyona.yanel.servlet.YanelServlet.doAuthenticate(YanelServlet.java:1393)
at
org.wyona.yanel.servlet.YanelServlet.doAccessControl(YanelServlet.java:1158)
at org.wyona.yanel.servlet.YanelServlet.service(YanelServlet.java:253)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at
org.wyona.yanel.servlet.communication.YanelFilter.doFilter(YanelFilter.java:37)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:680)
72032 2011-07-05 16:11:53,866 +0200 [http-8080-Processor22] WARN
org.wyona.yanel.servlet.YanelServlet.doAccessControl():1178 -
Authentication was successful for user: lenya
72032 2011-07-05 16:11:53,866 +0200 [http-8080-Processor22] WARN
org.wyona.yanel.servlet.YanelServlet.doAccessControl():1187 - Redirect
to original request:
http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on
Can you send me another version or maybe we can have a look at it
together tomorrow morning?
WDYT?
Thanks
Michael
Am 17.05.11 16:15, schrieb basZero:
> Hi Michael,
>
> can you verify this patch for the AutoLogin class?
> If it is ok, you can submit it.
> How do we proceed?
>
> I have implemented the AutoLogin call after successful login, so the
> rest must be done in the YanelServlet and the Authenticator.
>
> Cheers
> Balz
>
> On Tue, May 17, 2011 at 11:34 AM, Michael Wechner
> <michael.wechner at wyona.com <mailto:michael.wechner at wyona.com>> wrote:
>
> Hi Balz
>
> As we have discussed offline I have now added the relevant calls
> and utility class:
>
> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java
>
>
> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
> src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java
>
> whereas just as the class DefaultWebAuthenticatorImpl is using the
> utility class AutoLogin,
> you can use this utility class within your custom code and as long
> as you don't pass the form parameter "auto-login" (e.g. used by
> src/webapp/xslt/login-screen.xsl) the DefaultWebAuthenticatorImpl
> will ignore it.
>
> The code does not do much yet and the AutoLogin class methods
> needs to be refined (in particular the setCookie(...) method), but
> maybe you can test if this integrates well with your custom code
> and if so,
> then I think it should be generic enough and easy integratable.
>
> Let me know and the we can start the actual implementation.
>
> Thanks
>
> Michael
>
>
> On 5/17/11 8:15 AM, basZero wrote:
>> Hi Michael,
>> I think it is not a good idea to store the token in the user
>> profile. Read my consolidated thoughts about the auto-login:
>>
>> - In order
>> to give a realm flexibility on HOW the autologin gets
>> implemented, I would suggest that you can configure (per
>> realm) an AutoLoginService (e.g. in the realms.xml) which
>> gets called by the YanelServlet. This way you don't have to
>> worry about all the details now (what to store where and
>> how, etc.) because these are then up to the realm's
>> implementation (if it wants to use Auto-Login).
>>
>> - Given this design you can later introduce a
>> DefaultAutoLoginServiceImpl class which a realm can use if
>> they are happy with how that implementation does handle the
>> autologin.
>> - The AutoLoginService gets called by the YanelServlet for EACH request that is NOT BOUND to any session yet (so that equals to the first request per session).
>> - So the AutoLoginServive would get the Yanel Environment object (via that it has access to request, response, session, etc., --> the session must be created before the AutoLoginService gets called, it might want to store values in it).
>> - In general I think we need to extend the DefaultAuthenticatorImpl in Yanel so that you can "login" the user by just providing the username.
>> My points regarding the AutoLoginService:
>> - Define NEW COOKIE (e.g. YANEL_AUTOLOGIN, it contains userID and a TOKEN)
>> - Verify that the user is really not logged in yet. If logged in --> return.
>> - The TOKEN must be found VERY QUICKLY, we can not go through 10'000 user profiles and look for the token --> Either store it as a seperate XML (data/autologin/<tokenid>.xml , or we save in a separate index (at Zwischengas we use an internal index for that already, separated from the actual content data)
>> - In the TOKEN DATA file (retrieved from token XML or Index), we get the userid for this token. It must match the userid provided from the COOKIE.
>> - If it matches and the token has not yet expired, we do the login for this user WITHOUT password.
>> I currently wonder whether we really have to renew the TOKEN in the Autologin-Cookie, we could also keep it (like the Yanel-Cookie). What do you think?
>> Cheers
>> Balz
>>
>> On Tue, May 17, 2011 at 7:31 AM, <baszero at gmail.com
>> <mailto:baszero at gmail.com>> wrote:
>>
>> hi michael
>>
>> i would rather store it in the user profile xml and not in
>> the meta property.
>>
>> cheers
>>
>>
>> _____________________
>> CTO / Zwischengas AG
>> www.zwischengas.com <http://www.zwischengas.com>
>>
>> Sent via iPhone
>>
>> On 16.05.2011, at 23:04, Michael Wechner
>> <michael.wechner at wyona.com
>> <mailto:michael.wechner at wyona.com>> wrote:
>>
>>> Hi Balz
>>>
>>> On 5/16/11 5:06 PM, basZero wrote:
>>>> Hi Michael,
>>>>
>>>> as just discussed, what I meant by "auto-login" is not just
>>>> pre-filling the username field in the login form.
>>>
>>> sorry, right, I misunderstood
>>>> By "auto-login", I mean the following:
>>>>
>>>> - the user accesses ANY page within my realm
>>>> - at every request it is verified whether the user is
>>>> logged in (means: getIdentity() != null ?)
>>>> - if there is no identity available, the request is checked
>>>> for the autologin cookie
>>>> - if there is no autologin cookie, proceed as usual (= user
>>>> remains anonymous)
>>>> - if there IS an autologin cookie, the user gets
>>>> authenticated automatically (without seeing any form or the
>>>> need of pressing a submit button) and the user is logged in.
>>>
>>> sounds good also from a peformance/scalability point of
>>> view, except it's unclear to me where
>>> we should save the tokens persistently and how to clean them
>>> if they have expired.
>>>
>>> I guess we could save them together with the user profile, e.g.
>>>
>>> getRealm().getIdentityManager().getUserManager().getUser("baszero").setProperty("autologin-token",
>>> TOKEN-ID);
>>>
>>> WDYT?
>>>
>>> Thanks
>>>
>>> Michael
>>>
>>>>
>>>> *Implementation:*
>>>> The standard way of how this usually gets implemented is as
>>>> follows:
>>>> - The cookie contains USERID, TOKEN
>>>> - After every successful authentication, a new TOKEN gets
>>>> created and stored in the COOKIE (for the next time). The
>>>> realm also stores the new token for this user (so that it
>>>> can be verified the next time).
>>>> - How to do the authentication: the token from the cookie
>>>> must match the last stored token for this user. if it
>>>> matches, the user gets logged in without the need of the
>>>> password.
>>>>
>>>> A normal side effect of this implementation is:
>>>> - if the user uses a web browser and for instance an iPad,
>>>> every time he switches the device, the token obviously does
>>>> not match anymore and he has to login by the usual login
>>>> form where he enters username and password (and where he
>>>> can checkbox the autologin feature again).
>>>>
>>>> *Next steps for Yanel:*
>>>> It would be great if this functionality could be plugged
>>>> into the request pipeline of Yanel.
>>>> An alternative is to write a Request Pipeline Filter for
>>>> TOMCAT so that the request goes through that servlet each time.
>>>>
>>>> What do you propose?
>>>>
>>>> Cheers
>>>> Balz
>>>>
>>>>
>>>> On Mon, May 16, 2011 at 4:48 PM, Michael Wechner
>>>> <michael.wechner at wyona.com
>>>> <mailto:michael.wechner at wyona.com>> wrote:
>>>>
>>>> Hi Balz
>>>>
>>>>
>>>> On 5/16/11 4:09 PM, basZero wrote:
>>>>
>>>> Hi Michael,
>>>>
>>>> you once mentioned that Yanel comes out of the box
>>>> with an auto login feature?
>>>> Can you point me to the source code? I didn't find it.
>>>>
>>>>
>>>> Have a look at
>>>>
>>>> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
>>>>
>>>> and search for
>>>>
>>>> remember-my-login-name
>>>>
>>>> (also see rememberLoginNameCookie.setMaxAge(86400); //
>>>> 1 day is 86400 seconds)
>>>>
>>>> (also see src/webapp/xslt/login-screen.xsl)
>>>>
>>>> HTH
>>>>
>>>> Michael
>>>>
>>>>
>>>> I just want to see how it is done.
>>>>
>>>> Cheers
>>>> Balz
>>>>
>>>>
>>>> --
>>>> Yanel-development mailing list
>>>> Yanel-development at wyona.com
>>>> <mailto:Yanel-development at wyona.com>
>>>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>>>
>>>>
>>>
>>> --
>>> Yanel-development mailing list Yanel-development at wyona.com
>>> <mailto:Yanel-development at wyona.com>
>>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>
>>
>
>
> --
> Yanel-development mailing list Yanel-development at wyona.com
> <mailto:Yanel-development at wyona.com>
> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wyona.org/pipermail/yanel-development/attachments/20110705/3dc259af/attachment-0001.html>
More information about the Yanel-development
mailing list