[Yanel-dev] Auto Login

Michael Wechner michael.wechner at wyona.com
Mon May 16 22:51:33 CEST 2011


On 5/16/11 10:49 PM, basZero wrote:
> and what stands foo and bar for? parameters for the authenticator?

anything, just some custom parameters ;-)
>
> looks promising!

it's well tested for more than two years, but badly documented I admit. 
I will update

http://127.0.0.1:8080/yanel/yanel-website/en/documentation/realm/realm-configuration.html

accordingly.

Thanks

Michael
>
> On Mon, May 16, 2011 at 10:48 PM, Michael Wechner 
> <michael.wechner at wyona.com <mailto:michael.wechner at wyona.com>> wrote:
>
>     On 5/16/11 5:15 PM, basZero wrote:
>>     Hi Michael,
>>
>>     another requirement that must be considered is this here:
>>     - most web applications perform some business logic at the Login
>>     Process. That business logic must also be performed when somebody
>>     gets logged in automatically.
>
>     you can do this already within the realm.xml file, e.g.
>
>     <web-authenticator
>     class="com.zwischengas.yanel.servlet.security.impl.ZGWebAuthenticatorImpl">
>     <zg:foo xmlns:zg="http://www.zwischengas.com/eld/wyona/1.0"
>     <http://www.zwischengas.com/eld/wyona/1.0>>bar</zg:foo>
>     </web-authenticator>
>
>     whereas your custom authenticator should implement
>
>     org.wyona.yanel.core.api.security.WebAuthenticator
>
>     HTH
>
>     Michael
>
>>
>>     So I think we need an API extension in Yanel which provides the
>>     following mechanism:
>>     - Per realm you can register (configure) your own class which
>>     gets called by the YanelServlet (that class would implement a new
>>     interface). Methods of that new interface would be:
>>     a) doLoginLogic()
>>     b) ... ?
>>
>>     If the YanelServlet recognizes the cookie and successfully
>>     authenticated the user (logged in), the doLoginLogic() method
>>     gets called.
>>     Otherwise, if no cookie is available, the request goes through as
>>     today.
>>
>>     What do you think?
>>
>>     Cheers
>>     Balz
>>
>>     On Mon, May 16, 2011 at 5:06 PM, basZero <baszero at gmail.com
>>     <mailto:baszero at gmail.com>> wrote:
>>
>>         Hi Michael,
>>
>>         as just discussed, what I meant by "auto-login" is not just
>>         pre-filling the username field in the login form.
>>         By "auto-login", I mean the following:
>>
>>         - the user accesses ANY page within my realm
>>         - at every request it is verified whether the user is logged
>>         in (means: getIdentity() != null ?)
>>         - if there is no identity available, the request is checked
>>         for the autologin cookie
>>         - if there is no autologin cookie, proceed as usual (= user
>>         remains anonymous)
>>         - if there IS an autologin cookie, the user gets
>>         authenticated automatically (without seeing any form or the
>>         need of pressing a submit button) and the user is logged in.
>>
>>         *Implementation:*
>>         The standard way of how this usually gets implemented is as
>>         follows:
>>         - The cookie contains USERID, TOKEN
>>         - After every successful authentication, a new TOKEN gets
>>         created and stored in the COOKIE (for the next time). The
>>         realm also stores the new token for this user (so that it can
>>         be verified the next time).
>>         - How to do the authentication: the token from the cookie
>>         must match the last stored token for this user. if it
>>         matches, the user gets logged in without the need of the
>>         password.
>>
>>         A normal side effect of this implementation is:
>>         - if the user uses a web browser and for instance an iPad,
>>         every time he switches the device, the token obviously does
>>         not match anymore and he has to login by the usual login form
>>         where he enters username and password (and where he can
>>         checkbox the autologin feature again).
>>
>>         *Next steps for Yanel:*
>>         It would be great if this functionality could be plugged into
>>         the request pipeline of Yanel.
>>         An alternative is to write a Request Pipeline Filter for
>>         TOMCAT so that the request goes through that servlet each time.
>>
>>         What do you propose?
>>
>>         Cheers
>>         Balz
>>
>>
>>         On Mon, May 16, 2011 at 4:48 PM, Michael Wechner
>>         <michael.wechner at wyona.com
>>         <mailto:michael.wechner at wyona.com>> wrote:
>>
>>             Hi Balz
>>
>>
>>             On 5/16/11 4:09 PM, basZero wrote:
>>
>>                 Hi Michael,
>>
>>                 you once mentioned that Yanel comes out of the box
>>                 with an auto login feature?
>>                 Can you point me to the source code? I didn't find it.
>>
>>
>>             Have a look at
>>
>>             src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
>>
>>             and search for
>>
>>             remember-my-login-name
>>
>>             (also see rememberLoginNameCookie.setMaxAge(86400); // 1
>>             day is 86400 seconds)
>>
>>             (also see src/webapp/xslt/login-screen.xsl)
>>
>>             HTH
>>
>>             Michael
>>
>>
>>                 I just want to see how it is done.
>>
>>                 Cheers
>>                 Balz
>>
>>
>>             -- 
>>             Yanel-development mailing list
>>             Yanel-development at wyona.com
>>             <mailto:Yanel-development at wyona.com>
>>             http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>
>>
>>
>
>
>     --
>     Yanel-development mailing list Yanel-development at wyona.com
>     <mailto:Yanel-development at wyona.com>
>     http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wyona.org/pipermail/yanel-development/attachments/20110516/c9173d91/attachment-0001.html>


More information about the Yanel-development mailing list