[Yanel-dev] Auto Login
Michael Wechner
michael.wechner at wyona.com
Wed Jul 6 23:48:26 CEST 2011
Hi Balz
Thanks for your notes/comments.
I will continue to clean it up shortly and will also add a global config
property in
order to disable/enable auto login (similar to the propery of the mobile
device detection).
But I think the highest priority is to figure out why the cookies do not
get deleted properly.
(maybe debugging the response with ngrep might help)
Thanks
Michael
Am 06.07.11 14:03, schrieb basZero:
> Hi Michael,
>
> thanks for optimizing and submitting my patch.
> Just a few comments, minor comments...:
> *
> *
> *Autologin:*
>
> - I would replace log.warn by log.debug, if you really log debug
> stuff. (e.g. line 53)
>
> - tryAutoLogin(): a little debate on programming style :-) now it is
> more difficult to quickly see, under which cases the method returns
> true. In my version, the default return value is false. One one single
> line you see, that it is set to true, and you quickly see in which
> case. But I know, the usage of the so called "early returns" as you
> seem to like, is a question of style. Performance-wise it is no
> difference anymore since JDK1.5 and for me personally, one single
> return at the end of the method just "reads" better.
>
> *YanelServlet:*
>
> - Also here, many log.warn() are in again which should be log.debug()
> (e.g. line 241)
>
> Cheers
> Balz
>
> On Wed, Jul 6, 2011 at 12:10 PM, Michael Wechner
> <michael.wechner at wyona.com <mailto:michael.wechner at wyona.com>> wrote:
>
> Hi Balz
>
> Thanks again for your patch. I have slightly refactored it (in
> particular the naming of methods and also logging of the various
> errors):
>
> Sending
> src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java
> Sending
> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java
> Sending
> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
> Transmitting file data ...
> Committed revision 59197.
>
> I have noticed a couple of issues (like for example that during
> logout the cookie is not deleted properly), which
> I will try to improve shortly.
>
> Thanks
>
> Michael
>
>
> Am 05.07.11 16:21, schrieb basZero:
>> I think you did not apply the latest patch? on line 130 there
>> can't be a NullPointer...
>> Here it is a fresh one.
>>
>> Let me know whether it works.
>> Cheers
>> Balz
>>
>> On Tue, Jul 5, 2011 at 4:14 PM, Michael Wechner
>> <michael.wechner at wyona.com <mailto:michael.wechner at wyona.com>> wrote:
>>
>> Hi Balz
>>
>> I have applied your latest patch re auto login which you have
>> sent to me offlist), but receive the following error:
>>
>> 71951 2011-07-05 16:11:53,785 +0200 [http-8080-Processor22]
>> WARN
>> org.wyona.yanel.servlet.YanelServlet.doAccessControl():1122
>> - Access denied:
>> http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on
>> (Path of request: /en/index.html; Identity: User ID: WORLD -
>> Groups: ; Usecase: toolbar)
>> 71951 2011-07-05 16:11:53,785 +0200 [http-8080-Processor22]
>> WARN
>> org.wyona.yanel.servlet.YanelServlet.doAccessControl():1152
>> - SSL does not seem to be configured!
>> 71981 2011-07-05 16:11:53,815 +0200 [http-8080-Processor22]
>> WARN
>> org.wyona.security.impl.yarep.YarepUserManager.getTrueId():503
>> - No alias found for id 'lenya', hence return id as true ID
>> 72028 2011-07-05 16:11:53,862 +0200 [http-8080-Processor22]
>> WARN
>> org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.authenticate():680
>> - Authentication was successful for user: lenya
>> 72030 2011-07-05 16:11:53,864 +0200 [http-8080-Processor22]
>> WARN
>> org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.authenticate():681
>> - TODO: Add user to session listener!
>> 72030 2011-07-05 16:11:53,864 +0200 [http-8080-Processor22]
>> WARN
>> org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAutoLogin():610
>> - TODO: Implement auto-login
>> 72031 2011-07-05 16:11:53,865 +0200 [http-8080-Processor22]
>> FATAL
>> org.wyona.yanel.servlet.security.impl.AutoLogin.enableAutoLogin():66
>> - Could not enable Auto Login feature! Exception:
>> java.lang.NullPointerException
>> java.lang.NullPointerException
>> at
>> org.wyona.yanel.servlet.security.impl.AutoLogin.setNewCookie(AutoLogin.java:130)
>> at
>> org.wyona.yanel.servlet.security.impl.AutoLogin.enableAutoLogin(AutoLogin.java:62)
>> at
>> org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAutoLogin(DefaultWebAuthenticatorImpl.java:613)
>> at
>> org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAuthenticate(DefaultWebAuthenticatorImpl.java:106)
>> at
>> org.wyona.yanel.servlet.YanelServlet.doAuthenticate(YanelServlet.java:1393)
>> at
>> org.wyona.yanel.servlet.YanelServlet.doAccessControl(YanelServlet.java:1158)
>> at
>> org.wyona.yanel.servlet.YanelServlet.service(YanelServlet.java:253)
>> at
>> javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
>> at
>> org.wyona.yanel.servlet.communication.YanelFilter.doFilter(YanelFilter.java:37)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
>> at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
>> at
>> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
>> at
>> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
>> at
>> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
>> at
>> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
>> at java.lang.Thread.run(Thread.java:680)
>> 72032 2011-07-05 16:11:53,866 +0200 [http-8080-Processor22]
>> WARN
>> org.wyona.yanel.servlet.YanelServlet.doAccessControl():1178
>> - Authentication was successful for user: lenya
>> 72032 2011-07-05 16:11:53,866 +0200 [http-8080-Processor22]
>> WARN
>> org.wyona.yanel.servlet.YanelServlet.doAccessControl():1187
>> - Redirect to original request:
>> http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on
>>
>> Can you send me another version or maybe we can have a look
>> at it together tomorrow morning?
>>
>> WDYT?
>>
>> Thanks
>>
>> Michael
>>
>> Am 17.05.11 16:15, schrieb basZero:
>>> Hi Michael,
>>>
>>> can you verify this patch for the AutoLogin class?
>>> If it is ok, you can submit it.
>>> How do we proceed?
>>>
>>> I have implemented the AutoLogin call after successful
>>> login, so the rest must be done in the YanelServlet and the
>>> Authenticator.
>>>
>>> Cheers
>>> Balz
>>>
>>> On Tue, May 17, 2011 at 11:34 AM, Michael Wechner
>>> <michael.wechner at wyona.com
>>> <mailto:michael.wechner at wyona.com>> wrote:
>>>
>>> Hi Balz
>>>
>>> As we have discussed offline I have now added the
>>> relevant calls and utility class:
>>>
>>> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java
>>>
>>>
>>> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
>>> src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java
>>>
>>> whereas just as the class DefaultWebAuthenticatorImpl is
>>> using the utility class AutoLogin,
>>> you can use this utility class within your custom code
>>> and as long as you don't pass the form parameter
>>> "auto-login" (e.g. used by
>>> src/webapp/xslt/login-screen.xsl) the
>>> DefaultWebAuthenticatorImpl will ignore it.
>>>
>>> The code does not do much yet and the AutoLogin class
>>> methods needs to be refined (in particular the
>>> setCookie(...) method), but maybe you can test if this
>>> integrates well with your custom code and if so,
>>> then I think it should be generic enough and easy
>>> integratable.
>>>
>>> Let me know and the we can start the actual implementation.
>>>
>>> Thanks
>>>
>>> Michael
>>>
>>>
>>> On 5/17/11 8:15 AM, basZero wrote:
>>>> Hi Michael,
>>>> I think it is not a good idea to store the token in the
>>>> user profile. Read my consolidated thoughts about the
>>>> auto-login:
>>>>
>>>> -
>>>>
>>>> In order
>>>>
>>>>
>>>>
>>>> to give a realm flexibility on
>>>> HOW the
>>>>
>>>> autologin gets
>>>>
>>>>
>>>>
>>>> implemented, I would suggest
>>>> that you can
>>>>
>>>> configure (per
>>>>
>>>>
>>>>
>>>> realm) an AutoLoginService (e.g.
>>>> in the
>>>>
>>>> realms.xml) which
>>>>
>>>>
>>>>
>>>> gets called by the YanelServlet.
>>>> This way you
>>>>
>>>> don't have to
>>>>
>>>>
>>>>
>>>> worry about all the details now
>>>> (what to store
>>>>
>>>> where and
>>>>
>>>>
>>>>
>>>> how, etc.) because these are
>>>> then up to the
>>>>
>>>> realm's
>>>>
>>>>
>>>>
>>>> implementation (if it wants to
>>>> use
>>>>
>>>> Auto-Login).
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> - Given this design you can
>>>> later introduce a
>>>>
>>>>
>>>>
>>>> DefaultAutoLoginServiceImpl
>>>> class which a
>>>>
>>>> realm can use if
>>>>
>>>>
>>>>
>>>> they are happy with how that
>>>> implementation
>>>>
>>>> does handle the
>>>>
>>>>
>>>>
>>>> autologin.
>>>> - The AutoLoginService gets called by the YanelServlet for EACH request that is NOT BOUND to any session yet (so that equals to the first request per session).
>>>> - So the AutoLoginServive would get the Yanel Environment object (via that it has access to request, response, session, etc., --> the session must be created before the AutoLoginService gets called, it might want to store values in it).
>>>> - In general I think we need to extend the DefaultAuthenticatorImpl in Yanel so that you can "login" the user by just providing the username.
>>>> My points regarding the AutoLoginService:
>>>> - Define NEW COOKIE (e.g. YANEL_AUTOLOGIN, it contains userID and a TOKEN)
>>>> - Verify that the user is really not logged in yet. If logged in --> return.
>>>> - The TOKEN must be found VERY QUICKLY, we can not go through 10'000 user profiles and look for the token --> Either store it as a seperate XML (data/autologin/<tokenid>.xml , or we save in a separate index (at Zwischengas we use an internal index for that already, separated from the actual content data)
>>>> - In the TOKEN DATA file (retrieved from token XML or Index), we get the userid for this token. It must match the userid provided from the COOKIE.
>>>> - If it matches and the token has not yet expired, we do the login for this user WITHOUT password.
>>>> I currently wonder whether we really have to renew the TOKEN in the Autologin-Cookie, we could also keep it (like the Yanel-Cookie). What do you think?
>>>> Cheers
>>>> Balz
>>>>
>>>> On Tue, May 17, 2011 at 7:31 AM, <baszero at gmail.com
>>>> <mailto:baszero at gmail.com>> wrote:
>>>>
>>>> hi michael
>>>>
>>>> i would rather store it in the user profile xml and
>>>> not in the meta property.
>>>>
>>>> cheers
>>>>
>>>>
>>>> _____________________
>>>> CTO / Zwischengas AG
>>>> www.zwischengas.com <http://www.zwischengas.com>
>>>>
>>>> Sent via iPhone
>>>>
>>>> On 16.05.2011, at 23:04, Michael Wechner
>>>> <michael.wechner at wyona.com
>>>> <mailto:michael.wechner at wyona.com>> wrote:
>>>>
>>>>> Hi Balz
>>>>>
>>>>> On 5/16/11 5:06 PM, basZero wrote:
>>>>>> Hi Michael,
>>>>>>
>>>>>> as just discussed, what I meant by "auto-login"
>>>>>> is not just pre-filling the username field in the
>>>>>> login form.
>>>>>
>>>>> sorry, right, I misunderstood
>>>>>> By "auto-login", I mean the following:
>>>>>>
>>>>>> - the user accesses ANY page within my realm
>>>>>> - at every request it is verified whether the
>>>>>> user is logged in (means: getIdentity() != null ?)
>>>>>> - if there is no identity available, the request
>>>>>> is checked for the autologin cookie
>>>>>> - if there is no autologin cookie, proceed as
>>>>>> usual (= user remains anonymous)
>>>>>> - if there IS an autologin cookie, the user gets
>>>>>> authenticated automatically (without seeing any
>>>>>> form or the need of pressing a submit button) and
>>>>>> the user is logged in.
>>>>>
>>>>> sounds good also from a peformance/scalability
>>>>> point of view, except it's unclear to me where
>>>>> we should save the tokens persistently and how to
>>>>> clean them if they have expired.
>>>>>
>>>>> I guess we could save them together with the user
>>>>> profile, e.g.
>>>>>
>>>>> getRealm().getIdentityManager().getUserManager().getUser("baszero").setProperty("autologin-token",
>>>>> TOKEN-ID);
>>>>>
>>>>> WDYT?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Michael
>>>>>
>>>>>>
>>>>>> *Implementation:*
>>>>>> The standard way of how this usually gets
>>>>>> implemented is as follows:
>>>>>> - The cookie contains USERID, TOKEN
>>>>>> - After every successful authentication, a new
>>>>>> TOKEN gets created and stored in the COOKIE (for
>>>>>> the next time). The realm also stores the new
>>>>>> token for this user (so that it can be verified
>>>>>> the next time).
>>>>>> - How to do the authentication: the token from
>>>>>> the cookie must match the last stored token for
>>>>>> this user. if it matches, the user gets logged in
>>>>>> without the need of the password.
>>>>>>
>>>>>> A normal side effect of this implementation is:
>>>>>> - if the user uses a web browser and for instance
>>>>>> an iPad, every time he switches the device, the
>>>>>> token obviously does not match anymore and he has
>>>>>> to login by the usual login form where he enters
>>>>>> username and password (and where he can checkbox
>>>>>> the autologin feature again).
>>>>>>
>>>>>> *Next steps for Yanel:*
>>>>>> It would be great if this functionality could be
>>>>>> plugged into the request pipeline of Yanel.
>>>>>> An alternative is to write a Request Pipeline
>>>>>> Filter for TOMCAT so that the request goes
>>>>>> through that servlet each time.
>>>>>>
>>>>>> What do you propose?
>>>>>>
>>>>>> Cheers
>>>>>> Balz
>>>>>>
>>>>>>
>>>>>> On Mon, May 16, 2011 at 4:48 PM, Michael Wechner
>>>>>> <michael.wechner at wyona.com
>>>>>> <mailto:michael.wechner at wyona.com>> wrote:
>>>>>>
>>>>>> Hi Balz
>>>>>>
>>>>>>
>>>>>> On 5/16/11 4:09 PM, basZero wrote:
>>>>>>
>>>>>> Hi Michael,
>>>>>>
>>>>>> you once mentioned that Yanel comes out
>>>>>> of the box with an auto login feature?
>>>>>> Can you point me to the source code? I
>>>>>> didn't find it.
>>>>>>
>>>>>>
>>>>>> Have a look at
>>>>>>
>>>>>> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
>>>>>>
>>>>>> and search for
>>>>>>
>>>>>> remember-my-login-name
>>>>>>
>>>>>> (also see
>>>>>> rememberLoginNameCookie.setMaxAge(86400); //
>>>>>> 1 day is 86400 seconds)
>>>>>>
>>>>>> (also see src/webapp/xslt/login-screen.xsl)
>>>>>>
>>>>>> HTH
>>>>>>
>>>>>> Michael
>>>>>>
>>>>>>
>>>>>> I just want to see how it is done.
>>>>>>
>>>>>> Cheers
>>>>>> Balz
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Yanel-development mailing list
>>>>>> Yanel-development at wyona.com
>>>>>> <mailto:Yanel-development at wyona.com>
>>>>>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Yanel-development mailing list
>>>>> Yanel-development at wyona.com
>>>>> <mailto:Yanel-development at wyona.com>
>>>>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>>>
>>>>
>>>
>>>
>>> --
>>> Yanel-development mailing list
>>> Yanel-development at wyona.com
>>> <mailto:Yanel-development at wyona.com>
>>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>>
>>>
>>
>>
>> --
>> Yanel-development mailing list Yanel-development at wyona.com
>> <mailto:Yanel-development at wyona.com>
>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>
>>
>
>
> --
> Yanel-development mailing list Yanel-development at wyona.com
> <mailto:Yanel-development at wyona.com>
> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wyona.org/pipermail/yanel-development/attachments/20110706/50bbcaf9/attachment-0001.html>
More information about the Yanel-development
mailing list