[Yanel-dev] Auto Login

basZero baszero at gmail.com
Wed Jul 6 14:03:20 CEST 2011 

Hi Michael,

thanks for optimizing and submitting my patch.
Just a few comments, minor comments...:
*
*
*Autologin:*

- I would replace log.warn by log.debug, if you really log debug stuff.
(e.g. line 53)

- tryAutoLogin(): a little debate on programming style :-) now it is more
difficult to quickly see, under which cases the method returns true. In my
version, the default return value is false. One one single line you see,
that it is set to true, and you quickly see in which case. But I know, the
usage of the so called "early returns" as you seem to like, is a question of
style. Performance-wise it is no difference anymore since JDK1.5 and for me
personally, one single return at the end of the method just "reads" better.

*YanelServlet:*

- Also here, many log.warn() are in again which should be log.debug() (e.g.
line 241)

Cheers
Balz

On Wed, Jul 6, 2011 at 12:10 PM, Michael Wechner
<michael.wechner at wyona.com>wrote:

> **
> Hi Balz
>
> Thanks again for your patch. I have slightly refactored it (in particular
> the naming of methods and also logging of the various errors):
>
> Sending
> src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java
> Sending
> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java
> Sending
> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
> Transmitting file data ...
> Committed revision 59197.
>
> I have noticed a couple of issues (like for example that during logout the
> cookie is not deleted properly), which
> I will try to improve shortly.
>
> Thanks
>
> Michael
>
>
> Am 05.07.11 16:21, schrieb basZero:
>
> I think you did not apply the latest patch? on line 130 there can't be a
> NullPointer...
> Here it is a fresh one.
>
>  Let me know whether it works.
> Cheers
> Balz
>
>  On Tue, Jul 5, 2011 at 4:14 PM, Michael Wechner <
> michael.wechner at wyona.com> wrote:
>
>>  Hi Balz
>>
>> I have applied your latest patch re auto login which you have sent to me
>> offlist), but receive the following error:
>>
>> 71951 2011-07-05 16:11:53,785 +0200 [http-8080-Processor22] WARN
>> org.wyona.yanel.servlet.YanelServlet.doAccessControl():1122  - Access
>> denied:
>> http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on(Path of request: /en/index.html; Identity: User ID: WORLD - Groups: ;
>> Usecase: toolbar)
>> 71951 2011-07-05 16:11:53,785 +0200 [http-8080-Processor22] WARN
>> org.wyona.yanel.servlet.YanelServlet.doAccessControl():1152  - SSL does not
>> seem to be configured!
>> 71981 2011-07-05 16:11:53,815 +0200 [http-8080-Processor22] WARN
>> org.wyona.security.impl.yarep.YarepUserManager.getTrueId():503  - No alias
>> found for id 'lenya', hence return id as true ID
>> 72028 2011-07-05 16:11:53,862 +0200 [http-8080-Processor22] WARN
>> org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.authenticate():680
>> - Authentication was successful for user: lenya
>> 72030 2011-07-05 16:11:53,864 +0200 [http-8080-Processor22] WARN
>> org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.authenticate():681
>> - TODO: Add user to session listener!
>> 72030 2011-07-05 16:11:53,864 +0200 [http-8080-Processor22] WARN
>> org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAutoLogin():610
>> - TODO: Implement auto-login
>> 72031 2011-07-05 16:11:53,865 +0200 [http-8080-Processor22] FATAL
>> org.wyona.yanel.servlet.security.impl.AutoLogin.enableAutoLogin():66  -
>> Could not enable Auto Login feature! Exception:
>> java.lang.NullPointerException
>> java.lang.NullPointerException
>>     at
>> org.wyona.yanel.servlet.security.impl.AutoLogin.setNewCookie(AutoLogin.java:130)
>>     at
>> org.wyona.yanel.servlet.security.impl.AutoLogin.enableAutoLogin(AutoLogin.java:62)
>>     at
>> org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAutoLogin(DefaultWebAuthenticatorImpl.java:613)
>>     at
>> org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAuthenticate(DefaultWebAuthenticatorImpl.java:106)
>>     at
>> org.wyona.yanel.servlet.YanelServlet.doAuthenticate(YanelServlet.java:1393)
>>     at
>> org.wyona.yanel.servlet.YanelServlet.doAccessControl(YanelServlet.java:1158)
>>     at org.wyona.yanel.servlet.YanelServlet.service(YanelServlet.java:253)
>>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
>>     at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
>>     at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
>>     at
>> org.wyona.yanel.servlet.communication.YanelFilter.doFilter(YanelFilter.java:37)
>>     at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
>>     at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
>>     at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
>>     at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
>>     at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
>>     at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
>>     at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
>>     at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
>>     at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
>>     at
>> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
>>     at
>> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
>>     at
>> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
>>     at
>> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
>>     at java.lang.Thread.run(Thread.java:680)
>> 72032 2011-07-05 16:11:53,866 +0200 [http-8080-Processor22] WARN
>> org.wyona.yanel.servlet.YanelServlet.doAccessControl():1178  -
>> Authentication was successful for user: lenya
>> 72032 2011-07-05 16:11:53,866 +0200 [http-8080-Processor22] WARN
>> org.wyona.yanel.servlet.YanelServlet.doAccessControl():1187  - Redirect to
>> original request:
>> http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on
>>
>> Can you send me another version or maybe we can have a look at it together
>> tomorrow morning?
>>
>> WDYT?
>>
>> Thanks
>>
>> Michael
>>
>> Am 17.05.11 16:15, schrieb basZero:
>>
>> Hi Michael,
>>
>>  can you verify this patch for the AutoLogin class?
>> If it is ok, you can submit it.
>> How do we proceed?
>>
>>  I have implemented the AutoLogin call after successful login, so the
>> rest must be done in the YanelServlet and the Authenticator.
>>
>>  Cheers
>> Balz
>>
>> On Tue, May 17, 2011 at 11:34 AM, Michael Wechner <
>> michael.wechner at wyona.com> wrote:
>>
>>>  Hi Balz
>>>
>>> As we have discussed offline I have now added the relevant calls and
>>> utility class:
>>>
>>> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java
>>>
>>>
>>> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
>>>  src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java
>>>
>>> whereas just as the class DefaultWebAuthenticatorImpl is using the
>>> utility class AutoLogin,
>>> you can use this utility class within your custom code and as long as you
>>> don't pass the form parameter "auto-login" (e.g. used by
>>> src/webapp/xslt/login-screen.xsl) the DefaultWebAuthenticatorImpl will
>>> ignore it.
>>>
>>> The code does not do much yet and the AutoLogin class methods needs to be
>>> refined (in particular the setCookie(...) method), but maybe you can test if
>>> this integrates well with your custom code and if so,
>>> then I think it should be generic enough and easy integratable.
>>>
>>> Let me know and the we can start the actual implementation.
>>>
>>> Thanks
>>>
>>> Michael
>>>
>>>
>>> On 5/17/11 8:15 AM, basZero wrote:
>>>
>>> Hi Michael,
>>> I think it is not a good idea to store the token in the user profile.
>>> Read my consolidated thoughts about the auto-login:
>>>
>>>  -
>>> In order
>>>
>>> to give a realm flexibility on HOW the
>>> autologin gets
>>>
>>> implemented, I would suggest that you can
>>> configure (per
>>>
>>> realm) an AutoLoginService (e.g. in the
>>> realms.xml) which
>>>
>>> gets called by the YanelServlet. This way you
>>> don't have to
>>>
>>> worry about all the details now (what to store
>>> where and
>>>
>>> how, etc.) because these are then up to the
>>> realm's
>>>
>>> implementation (if it wants to use
>>> Auto-Login).
>>>
>>>
>>>
>>> - Given this design you can later introduce a
>>>
>>> DefaultAutoLoginServiceImpl class which a
>>> realm can use if
>>>
>>> they are happy with how that implementation
>>> does handle the
>>>
>>> autologin.
>>>
>>> - The AutoLoginService gets called by the YanelServlet for EACH request that is NOT BOUND to any session yet (so that equals to the first request per session).
>>> - So the AutoLoginServive would get the Yanel Environment object (via that it has access to request, response, session, etc., --> the session must be created before the AutoLoginService gets called, it might want to store values in it).
>>> - In general I think we need to extend the DefaultAuthenticatorImpl in Yanel so that you can "login" the user by just providing the username.
>>>
>>> My points regarding the AutoLoginService:
>>>
>>> - Define NEW COOKIE (e.g. YANEL_AUTOLOGIN, it contains userID and a TOKEN)
>>> - Verify that the user is really not logged in yet. If logged in --> return.
>>> - The TOKEN must be found VERY QUICKLY, we can not go through 10'000 user profiles and look for the token --> Either store it as a seperate XML (data/autologin/<tokenid>.xml , or we save in a separate index (at Zwischengas we use an internal index for that already, separated from the actual content data)
>>> - In the TOKEN DATA file (retrieved from token XML or Index), we get the userid for this token. It must match the userid provided from the COOKIE.
>>> - If it matches and the token has not yet expired, we do the login for this user WITHOUT password.
>>>
>>> I currently wonder whether we really have to renew the TOKEN in the Autologin-Cookie, we could also keep it (like the Yanel-Cookie). What do you think?
>>>
>>> Cheers
>>> Balz
>>>
>>>
>>> On Tue, May 17, 2011 at 7:31 AM, <baszero at gmail.com> wrote:
>>>
>>>>  hi michael
>>>>
>>>>  i would rather store it in the user profile xml and not in the meta
>>>> property.
>>>>
>>>>  cheers
>>>>
>>>>
>>>>  _____________________
>>>> CTO / Zwischengas AG
>>>> www.zwischengas.com
>>>>
>>>>  Sent via iPhone
>>>>
>>>> On 16.05.2011, at 23:04, Michael Wechner <michael.wechner at wyona.com>
>>>> wrote:
>>>>
>>>>   Hi Balz
>>>>
>>>> On 5/16/11 5:06 PM, basZero wrote:
>>>>
>>>> Hi Michael,
>>>>
>>>>  as just discussed, what I meant by "auto-login" is not just
>>>> pre-filling the username field in the login form.
>>>>
>>>>
>>>> sorry, right, I misunderstood
>>>>
>>>> By "auto-login", I mean the following:
>>>>
>>>>  - the user accesses ANY page within my realm
>>>> - at every request it is verified whether the user is logged in (means:
>>>> getIdentity() != null ?)
>>>> - if there is no identity available, the request is checked for the
>>>> autologin cookie
>>>> - if there is no autologin cookie, proceed as usual (= user remains
>>>> anonymous)
>>>> - if there IS an autologin cookie, the user gets authenticated
>>>> automatically (without seeing any form or the need of pressing a submit
>>>> button) and the user is logged in.
>>>>
>>>>
>>>> sounds good also from a peformance/scalability point of view, except
>>>> it's unclear to me where
>>>> we should save the tokens persistently and how to clean them if they
>>>> have expired.
>>>>
>>>> I guess we could save them together with the user profile, e.g.
>>>>
>>>> getRealm().getIdentityManager().getUserManager().getUser("baszero").setProperty("autologin-token",
>>>> TOKEN-ID);
>>>>
>>>> WDYT?
>>>>
>>>> Thanks
>>>>
>>>> Michael
>>>>
>>>>
>>>>  *Implementation:*
>>>> The standard way of how this usually gets implemented is as follows:
>>>> - The cookie contains USERID, TOKEN
>>>> - After every successful authentication, a new TOKEN gets created and
>>>> stored in the COOKIE (for the next time). The realm also stores the new
>>>> token for this user (so that it can be verified the next time).
>>>> - How to do the authentication: the token from the cookie must match the
>>>> last stored token for this user. if it matches, the user gets logged in
>>>> without the need of the password.
>>>>
>>>>  A normal side effect of this implementation is:
>>>> - if the user uses a web browser and for instance an iPad, every time he
>>>> switches the device, the token obviously does not match anymore and he has
>>>> to login by the usual login form where he enters username and password (and
>>>> where he can checkbox the autologin feature again).
>>>>
>>>>  *Next steps for Yanel:*
>>>> It would be great if this functionality could be plugged into the
>>>> request pipeline of Yanel.
>>>> An alternative is to write a Request Pipeline Filter for TOMCAT so that
>>>> the request goes through that servlet each time.
>>>>
>>>>  What do you propose?
>>>>
>>>>  Cheers
>>>> Balz
>>>>
>>>>
>>>> On Mon, May 16, 2011 at 4:48 PM, Michael Wechner <
>>>> michael.wechner at wyona.com> wrote:
>>>>
>>>>> Hi Balz
>>>>>
>>>>>
>>>>> On 5/16/11 4:09 PM, basZero wrote:
>>>>>
>>>>>> Hi Michael,
>>>>>>
>>>>>> you once mentioned that Yanel comes out of the box with an auto login
>>>>>> feature?
>>>>>> Can you point me to the source code? I didn't find it.
>>>>>>
>>>>>
>>>>>  Have a look at
>>>>>
>>>>>
>>>>> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
>>>>>
>>>>> and search for
>>>>>
>>>>> remember-my-login-name
>>>>>
>>>>> (also see rememberLoginNameCookie.setMaxAge(86400); // 1 day is 86400
>>>>> seconds)
>>>>>
>>>>> (also see src/webapp/xslt/login-screen.xsl)
>>>>>
>>>>> HTH
>>>>>
>>>>> Michael
>>>>>
>>>>>
>>>>>> I just want to see how it is done.
>>>>>>
>>>>>> Cheers
>>>>>> Balz
>>>>>>
>>>>>
>>>>>   --
>>>>> Yanel-development mailing list Yanel-development at wyona.com
>>>>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>>>>
>>>>
>>>>
>>>>   --
>>>> Yanel-development mailing list Yanel-development at wyona.com
>>>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>>>
>>>>
>>>
>>>
>>> --
>>> Yanel-development mailing list Yanel-development at wyona.com
>>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>>
>>
>>
>>
>> --
>> Yanel-development mailing list Yanel-development at wyona.com
>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>
>
>
>
> --
> Yanel-development mailing list Yanel-development at wyona.com
> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wyona.org/pipermail/yanel-development/attachments/20110706/db905add/attachment-0001.html>

More information about the Yanel-development mailing list