[Yanel-dev] Auto Login

Michael Wechner michael.wechner at wyona.com
Mon May 16 22:48:07 CEST 2011 

On 5/16/11 5:15 PM, basZero wrote:
> Hi Michael,
>
> another requirement that must be considered is this here:
> - most web applications perform some business logic at the Login 
> Process. That business logic must also be performed when somebody gets 
> logged in automatically.

you can do this already within the realm.xml file, e.g.

<web-authenticator 
class="com.zwischengas.yanel.servlet.security.impl.ZGWebAuthenticatorImpl">
<zg:foo xmlns:zg="http://www.zwischengas.com/eld/wyona/1.0">bar</zg:foo>
</web-authenticator>

whereas your custom authenticator should implement

org.wyona.yanel.core.api.security.WebAuthenticator

HTH

Michael
>
> So I think we need an API extension in Yanel which provides the 
> following mechanism:
> - Per realm you can register (configure) your own class which gets 
> called by the YanelServlet (that class would implement a new 
> interface). Methods of that new interface would be:
> a) doLoginLogic()
> b) ... ?
>
> If the YanelServlet recognizes the cookie and successfully 
> authenticated the user (logged in), the doLoginLogic() method gets called.
> Otherwise, if no cookie is available, the request goes through as today.
>
> What do you think?
>
> Cheers
> Balz
>
> On Mon, May 16, 2011 at 5:06 PM, basZero <baszero at gmail.com 
> <mailto:baszero at gmail.com>> wrote:
>
>     Hi Michael,
>
>     as just discussed, what I meant by "auto-login" is not just
>     pre-filling the username field in the login form.
>     By "auto-login", I mean the following:
>
>     - the user accesses ANY page within my realm
>     - at every request it is verified whether the user is logged in
>     (means: getIdentity() != null ?)
>     - if there is no identity available, the request is checked for
>     the autologin cookie
>     - if there is no autologin cookie, proceed as usual (= user
>     remains anonymous)
>     - if there IS an autologin cookie, the user gets authenticated
>     automatically (without seeing any form or the need of pressing a
>     submit button) and the user is logged in.
>
>     *Implementation:*
>     The standard way of how this usually gets implemented is as follows:
>     - The cookie contains USERID, TOKEN
>     - After every successful authentication, a new TOKEN gets created
>     and stored in the COOKIE (for the next time). The realm also
>     stores the new token for this user (so that it can be verified the
>     next time).
>     - How to do the authentication: the token from the cookie must
>     match the last stored token for this user. if it matches, the user
>     gets logged in without the need of the password.
>
>     A normal side effect of this implementation is:
>     - if the user uses a web browser and for instance an iPad, every
>     time he switches the device, the token obviously does not match
>     anymore and he has to login by the usual login form where he
>     enters username and password (and where he can checkbox the
>     autologin feature again).
>
>     *Next steps for Yanel:*
>     It would be great if this functionality could be plugged into the
>     request pipeline of Yanel.
>     An alternative is to write a Request Pipeline Filter for TOMCAT so
>     that the request goes through that servlet each time.
>
>     What do you propose?
>
>     Cheers
>     Balz
>
>
>     On Mon, May 16, 2011 at 4:48 PM, Michael Wechner
>     <michael.wechner at wyona.com <mailto:michael.wechner at wyona.com>> wrote:
>
>         Hi Balz
>
>
>         On 5/16/11 4:09 PM, basZero wrote:
>
>             Hi Michael,
>
>             you once mentioned that Yanel comes out of the box with an
>             auto login feature?
>             Can you point me to the source code? I didn't find it.
>
>
>         Have a look at
>
>         src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
>
>         and search for
>
>         remember-my-login-name
>
>         (also see rememberLoginNameCookie.setMaxAge(86400); // 1 day
>         is 86400 seconds)
>
>         (also see src/webapp/xslt/login-screen.xsl)
>
>         HTH
>
>         Michael
>
>
>             I just want to see how it is done.
>
>             Cheers
>             Balz
>
>
>         -- 
>         Yanel-development mailing list Yanel-development at wyona.com
>         <mailto:Yanel-development at wyona.com>
>         http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wyona.org/pipermail/yanel-development/attachments/20110516/a781369c/attachment-0001.html>

More information about the Yanel-development mailing list