[Yanel-dev] Auto Login
Michael Wechner
michael.wechner at wyona.com
Wed Jul 6 09:58:43 CEST 2011
Am 05.07.11 16:21, schrieb basZero:
> I think you did not apply the latest patch? on line 130 there can't be
> a NullPointer...
> Here it is a fresh one.
Thanks very much. This one looks better.
I will review it now and keep you posted...
Thanks
Michael
>
> Let me know whether it works.
> Cheers
> Balz
>
> On Tue, Jul 5, 2011 at 4:14 PM, Michael Wechner
> <michael.wechner at wyona.com <mailto:michael.wechner at wyona.com>> wrote:
>
> Hi Balz
>
> I have applied your latest patch re auto login which you have sent
> to me offlist), but receive the following error:
>
> 71951 2011-07-05 16:11:53,785 +0200 [http-8080-Processor22] WARN
> org.wyona.yanel.servlet.YanelServlet.doAccessControl():1122 -
> Access denied:
> http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on
> (Path of request: /en/index.html; Identity: User ID: WORLD -
> Groups: ; Usecase: toolbar)
> 71951 2011-07-05 16:11:53,785 +0200 [http-8080-Processor22] WARN
> org.wyona.yanel.servlet.YanelServlet.doAccessControl():1152 - SSL
> does not seem to be configured!
> 71981 2011-07-05 16:11:53,815 +0200 [http-8080-Processor22] WARN
> org.wyona.security.impl.yarep.YarepUserManager.getTrueId():503 -
> No alias found for id 'lenya', hence return id as true ID
> 72028 2011-07-05 16:11:53,862 +0200 [http-8080-Processor22] WARN
> org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.authenticate():680
> - Authentication was successful for user: lenya
> 72030 2011-07-05 16:11:53,864 +0200 [http-8080-Processor22] WARN
> org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.authenticate():681
> - TODO: Add user to session listener!
> 72030 2011-07-05 16:11:53,864 +0200 [http-8080-Processor22] WARN
> org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAutoLogin():610
> - TODO: Implement auto-login
> 72031 2011-07-05 16:11:53,865 +0200 [http-8080-Processor22] FATAL
> org.wyona.yanel.servlet.security.impl.AutoLogin.enableAutoLogin():66
> - Could not enable Auto Login feature! Exception:
> java.lang.NullPointerException
> java.lang.NullPointerException
> at
> org.wyona.yanel.servlet.security.impl.AutoLogin.setNewCookie(AutoLogin.java:130)
> at
> org.wyona.yanel.servlet.security.impl.AutoLogin.enableAutoLogin(AutoLogin.java:62)
> at
> org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAutoLogin(DefaultWebAuthenticatorImpl.java:613)
> at
> org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAuthenticate(DefaultWebAuthenticatorImpl.java:106)
> at
> org.wyona.yanel.servlet.YanelServlet.doAuthenticate(YanelServlet.java:1393)
> at
> org.wyona.yanel.servlet.YanelServlet.doAccessControl(YanelServlet.java:1158)
> at
> org.wyona.yanel.servlet.YanelServlet.service(YanelServlet.java:253)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
> at
> org.wyona.yanel.servlet.communication.YanelFilter.doFilter(YanelFilter.java:37)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
> at
> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
> at
> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
> at
> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
> at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
> at java.lang.Thread.run(Thread.java:680)
> 72032 2011-07-05 16:11:53,866 +0200 [http-8080-Processor22] WARN
> org.wyona.yanel.servlet.YanelServlet.doAccessControl():1178 -
> Authentication was successful for user: lenya
> 72032 2011-07-05 16:11:53,866 +0200 [http-8080-Processor22] WARN
> org.wyona.yanel.servlet.YanelServlet.doAccessControl():1187 -
> Redirect to original request:
> http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on
>
> Can you send me another version or maybe we can have a look at it
> together tomorrow morning?
>
> WDYT?
>
> Thanks
>
> Michael
>
> Am 17.05.11 16:15, schrieb basZero:
>> Hi Michael,
>>
>> can you verify this patch for the AutoLogin class?
>> If it is ok, you can submit it.
>> How do we proceed?
>>
>> I have implemented the AutoLogin call after successful login, so
>> the rest must be done in the YanelServlet and the Authenticator.
>>
>> Cheers
>> Balz
>>
>> On Tue, May 17, 2011 at 11:34 AM, Michael Wechner
>> <michael.wechner at wyona.com <mailto:michael.wechner at wyona.com>> wrote:
>>
>> Hi Balz
>>
>> As we have discussed offline I have now added the relevant
>> calls and utility class:
>>
>> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java
>>
>>
>> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
>> src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java
>>
>> whereas just as the class DefaultWebAuthenticatorImpl is
>> using the utility class AutoLogin,
>> you can use this utility class within your custom code and as
>> long as you don't pass the form parameter "auto-login" (e.g.
>> used by src/webapp/xslt/login-screen.xsl) the
>> DefaultWebAuthenticatorImpl will ignore it.
>>
>> The code does not do much yet and the AutoLogin class methods
>> needs to be refined (in particular the setCookie(...)
>> method), but maybe you can test if this integrates well with
>> your custom code and if so,
>> then I think it should be generic enough and easy integratable.
>>
>> Let me know and the we can start the actual implementation.
>>
>> Thanks
>>
>> Michael
>>
>>
>> On 5/17/11 8:15 AM, basZero wrote:
>>> Hi Michael,
>>> I think it is not a good idea to store the token in the user
>>> profile. Read my consolidated thoughts about the auto-login:
>>>
>>> -
>>> In order
>>>
>>> to give a realm flexibility on HOW the
>>> autologin gets
>>>
>>> implemented, I would suggest that you can
>>> configure (per
>>>
>>> realm) an AutoLoginService (e.g. in the
>>> realms.xml) which
>>>
>>> gets called by the YanelServlet. This way you
>>> don't have to
>>>
>>> worry about all the details now (what to store
>>> where and
>>>
>>> how, etc.) because these are then up to the
>>> realm's
>>>
>>> implementation (if it wants to use
>>> Auto-Login).
>>>
>>>
>>>
>>> - Given this design you can later introduce a
>>>
>>> DefaultAutoLoginServiceImpl class which a
>>> realm can use if
>>>
>>> they are happy with how that implementation
>>> does handle the
>>>
>>> autologin.
>>> - The AutoLoginService gets called by the YanelServlet for EACH request that is NOT BOUND to any session yet (so that equals to the first request per session).
>>> - So the AutoLoginServive would get the Yanel Environment object (via that it has access to request, response, session, etc., --> the session must be created before the AutoLoginService gets called, it might want to store values in it).
>>> - In general I think we need to extend the DefaultAuthenticatorImpl in Yanel so that you can "login" the user by just providing the username.
>>> My points regarding the AutoLoginService:
>>> - Define NEW COOKIE (e.g. YANEL_AUTOLOGIN, it contains userID and a TOKEN)
>>> - Verify that the user is really not logged in yet. If logged in --> return.
>>> - The TOKEN must be found VERY QUICKLY, we can not go through 10'000 user profiles and look for the token --> Either store it as a seperate XML (data/autologin/<tokenid>.xml , or we save in a separate index (at Zwischengas we use an internal index for that already, separated from the actual content data)
>>> - In the TOKEN DATA file (retrieved from token XML or Index), we get the userid for this token. It must match the userid provided from the COOKIE.
>>> - If it matches and the token has not yet expired, we do the login for this user WITHOUT password.
>>> I currently wonder whether we really have to renew the TOKEN in the Autologin-Cookie, we could also keep it (like the Yanel-Cookie). What do you think?
>>> Cheers
>>> Balz
>>>
>>> On Tue, May 17, 2011 at 7:31 AM, <baszero at gmail.com
>>> <mailto:baszero at gmail.com>> wrote:
>>>
>>> hi michael
>>>
>>> i would rather store it in the user profile xml and not
>>> in the meta property.
>>>
>>> cheers
>>>
>>>
>>> _____________________
>>> CTO / Zwischengas AG
>>> www.zwischengas.com <http://www.zwischengas.com>
>>>
>>> Sent via iPhone
>>>
>>> On 16.05.2011, at 23:04, Michael Wechner
>>> <michael.wechner at wyona.com
>>> <mailto:michael.wechner at wyona.com>> wrote:
>>>
>>>> Hi Balz
>>>>
>>>> On 5/16/11 5:06 PM, basZero wrote:
>>>>> Hi Michael,
>>>>>
>>>>> as just discussed, what I meant by "auto-login" is not
>>>>> just pre-filling the username field in the login form.
>>>>
>>>> sorry, right, I misunderstood
>>>>> By "auto-login", I mean the following:
>>>>>
>>>>> - the user accesses ANY page within my realm
>>>>> - at every request it is verified whether the user is
>>>>> logged in (means: getIdentity() != null ?)
>>>>> - if there is no identity available, the request is
>>>>> checked for the autologin cookie
>>>>> - if there is no autologin cookie, proceed as usual (=
>>>>> user remains anonymous)
>>>>> - if there IS an autologin cookie, the user gets
>>>>> authenticated automatically (without seeing any form
>>>>> or the need of pressing a submit button) and the user
>>>>> is logged in.
>>>>
>>>> sounds good also from a peformance/scalability point of
>>>> view, except it's unclear to me where
>>>> we should save the tokens persistently and how to clean
>>>> them if they have expired.
>>>>
>>>> I guess we could save them together with the user
>>>> profile, e.g.
>>>>
>>>> getRealm().getIdentityManager().getUserManager().getUser("baszero").setProperty("autologin-token",
>>>> TOKEN-ID);
>>>>
>>>> WDYT?
>>>>
>>>> Thanks
>>>>
>>>> Michael
>>>>
>>>>>
>>>>> *Implementation:*
>>>>> The standard way of how this usually gets implemented
>>>>> is as follows:
>>>>> - The cookie contains USERID, TOKEN
>>>>> - After every successful authentication, a new TOKEN
>>>>> gets created and stored in the COOKIE (for the next
>>>>> time). The realm also stores the new token for this
>>>>> user (so that it can be verified the next time).
>>>>> - How to do the authentication: the token from the
>>>>> cookie must match the last stored token for this user.
>>>>> if it matches, the user gets logged in without the
>>>>> need of the password.
>>>>>
>>>>> A normal side effect of this implementation is:
>>>>> - if the user uses a web browser and for instance an
>>>>> iPad, every time he switches the device, the token
>>>>> obviously does not match anymore and he has to login
>>>>> by the usual login form where he enters username and
>>>>> password (and where he can checkbox the autologin
>>>>> feature again).
>>>>>
>>>>> *Next steps for Yanel:*
>>>>> It would be great if this functionality could be
>>>>> plugged into the request pipeline of Yanel.
>>>>> An alternative is to write a Request Pipeline Filter
>>>>> for TOMCAT so that the request goes through that
>>>>> servlet each time.
>>>>>
>>>>> What do you propose?
>>>>>
>>>>> Cheers
>>>>> Balz
>>>>>
>>>>>
>>>>> On Mon, May 16, 2011 at 4:48 PM, Michael Wechner
>>>>> <michael.wechner at wyona.com
>>>>> <mailto:michael.wechner at wyona.com>> wrote:
>>>>>
>>>>> Hi Balz
>>>>>
>>>>>
>>>>> On 5/16/11 4:09 PM, basZero wrote:
>>>>>
>>>>> Hi Michael,
>>>>>
>>>>> you once mentioned that Yanel comes out of the
>>>>> box with an auto login feature?
>>>>> Can you point me to the source code? I didn't
>>>>> find it.
>>>>>
>>>>>
>>>>> Have a look at
>>>>>
>>>>> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
>>>>>
>>>>> and search for
>>>>>
>>>>> remember-my-login-name
>>>>>
>>>>> (also see
>>>>> rememberLoginNameCookie.setMaxAge(86400); // 1 day
>>>>> is 86400 seconds)
>>>>>
>>>>> (also see src/webapp/xslt/login-screen.xsl)
>>>>>
>>>>> HTH
>>>>>
>>>>> Michael
>>>>>
>>>>>
>>>>> I just want to see how it is done.
>>>>>
>>>>> Cheers
>>>>> Balz
>>>>>
>>>>>
>>>>> --
>>>>> Yanel-development mailing list
>>>>> Yanel-development at wyona.com
>>>>> <mailto:Yanel-development at wyona.com>
>>>>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>>>>
>>>>>
>>>>
>>>> --
>>>> Yanel-development mailing list
>>>> Yanel-development at wyona.com
>>>> <mailto:Yanel-development at wyona.com>
>>>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>>
>>>
>>
>>
>> --
>> Yanel-development mailing list Yanel-development at wyona.com
>> <mailto:Yanel-development at wyona.com>
>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>
>>
>
>
> --
> Yanel-development mailing list Yanel-development at wyona.com
> <mailto:Yanel-development at wyona.com>
> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wyona.org/pipermail/yanel-development/attachments/20110706/b080866d/attachment-0001.html>
More information about the Yanel-development
mailing list