[Yanel-dev] Auto Login

Mon May 16 22:49:37 CEST 2011

and what stands foo and bar for? parameters for the authenticator?

looks promising!

On Mon, May 16, 2011 at 10:48 PM, Michael Wechner <michael.wechner at wyona.com
> wrote:

>  On 5/16/11 5:15 PM, basZero wrote:
>
> Hi Michael,
>
>  another requirement that must be considered is this here:
> - most web applications perform some business logic at the Login Process.
> That business logic must also be performed when somebody gets logged in
> automatically.
>
>
> you can do this already within the realm.xml file, e.g.
>
> <web-authenticator
> class="com.zwischengas.yanel.servlet.security.impl.ZGWebAuthenticatorImpl">
>         <zg:foo xmlns:zg="http://www.zwischengas.com/eld/wyona/1.0"<http://www.zwischengas.com/eld/wyona/1.0>
> >bar</zg:foo>
> </web-authenticator>
>
> whereas your custom authenticator should implement
>
> org.wyona.yanel.core.api.security.WebAuthenticator
>
> HTH
>
> Michael
>
>
>  So I think we need an API extension in Yanel which provides the following
> mechanism:
> - Per realm you can register (configure) your own class which gets called
> by the YanelServlet (that class would implement a new interface). Methods of
> that new interface would be:
> a) doLoginLogic()
> b) ... ?
>
>  If the YanelServlet recognizes the cookie and successfully authenticated
> the user (logged in), the doLoginLogic() method gets called.
> Otherwise, if no cookie is available, the request goes through as today.
>
>  What do you think?
>
> Cheers
> Balz
>
> On Mon, May 16, 2011 at 5:06 PM, basZero <baszero at gmail.com> wrote:
>
>> Hi Michael,
>>
>>  as just discussed, what I meant by "auto-login" is not just pre-filling
>> the username field in the login form.
>> By "auto-login", I mean the following:
>>
>>  - the user accesses ANY page within my realm
>> - at every request it is verified whether the user is logged in (means:
>> getIdentity() != null ?)
>> - if there is no identity available, the request is checked for the
>> autologin cookie
>> - if there is no autologin cookie, proceed as usual (= user remains
>> anonymous)
>> - if there IS an autologin cookie, the user gets authenticated
>> automatically (without seeing any form or the need of pressing a submit
>> button) and the user is logged in.
>>
>>  *Implementation:*
>> The standard way of how this usually gets implemented is as follows:
>> - The cookie contains USERID, TOKEN
>> - After every successful authentication, a new TOKEN gets created and
>> stored in the COOKIE (for the next time). The realm also stores the new
>> token for this user (so that it can be verified the next time).
>> - How to do the authentication: the token from the cookie must match the
>> last stored token for this user. if it matches, the user gets logged in
>> without the need of the password.
>>
>>  A normal side effect of this implementation is:
>> - if the user uses a web browser and for instance an iPad, every time he
>> switches the device, the token obviously does not match anymore and he has
>> to login by the usual login form where he enters username and password (and
>> where he can checkbox the autologin feature again).
>>
>>  *Next steps for Yanel:*
>> It would be great if this functionality could be plugged into the request
>> pipeline of Yanel.
>> An alternative is to write a Request Pipeline Filter for TOMCAT so that
>> the request goes through that servlet each time.
>>
>>  What do you propose?
>>
>>  Cheers
>> Balz
>>
>>
>> On Mon, May 16, 2011 at 4:48 PM, Michael Wechner <
>> michael.wechner at wyona.com> wrote:
>>
>>> Hi Balz
>>>
>>>
>>> On 5/16/11 4:09 PM, basZero wrote:
>>>
>>>> Hi Michael,
>>>>
>>>> you once mentioned that Yanel comes out of the box with an auto login
>>>> feature?
>>>> Can you point me to the source code? I didn't find it.
>>>>
>>>
>>>  Have a look at
>>>
>>>
>>> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
>>>
>>> and search for
>>>
>>> remember-my-login-name
>>>
>>> (also see rememberLoginNameCookie.setMaxAge(86400); // 1 day is 86400
>>> seconds)
>>>
>>> (also see src/webapp/xslt/login-screen.xsl)
>>>
>>> HTH
>>>
>>> Michael
>>>
>>>
>>>> I just want to see how it is done.
>>>>
>>>> Cheers
>>>> Balz
>>>>
>>>
>>>   --
>>> Yanel-development mailing list Yanel-development at wyona.com
>>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>>
>>
>>
>
>
> --
> Yanel-development mailing list Yanel-development at wyona.com
> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wyona.org/pipermail/yanel-development/attachments/20110516/54358267/attachment.html>