[Yanel-dev] Auto Login
Michael Wechner
michael.wechner at wyona.com
Mon May 16 23:04:04 CEST 2011
Hi Balz
On 5/16/11 5:06 PM, basZero wrote:
> Hi Michael,
>
> as just discussed, what I meant by "auto-login" is not just
> pre-filling the username field in the login form.
sorry, right, I misunderstood
> By "auto-login", I mean the following:
>
> - the user accesses ANY page within my realm
> - at every request it is verified whether the user is logged in
> (means: getIdentity() != null ?)
> - if there is no identity available, the request is checked for the
> autologin cookie
> - if there is no autologin cookie, proceed as usual (= user remains
> anonymous)
> - if there IS an autologin cookie, the user gets authenticated
> automatically (without seeing any form or the need of pressing a
> submit button) and the user is logged in.
sounds good also from a peformance/scalability point of view, except
it's unclear to me where
we should save the tokens persistently and how to clean them if they
have expired.
I guess we could save them together with the user profile, e.g.
getRealm().getIdentityManager().getUserManager().getUser("baszero").setProperty("autologin-token",
TOKEN-ID);
WDYT?
Thanks
Michael
>
> *Implementation:*
> The standard way of how this usually gets implemented is as follows:
> - The cookie contains USERID, TOKEN
> - After every successful authentication, a new TOKEN gets created and
> stored in the COOKIE (for the next time). The realm also stores the
> new token for this user (so that it can be verified the next time).
> - How to do the authentication: the token from the cookie must match
> the last stored token for this user. if it matches, the user gets
> logged in without the need of the password.
>
> A normal side effect of this implementation is:
> - if the user uses a web browser and for instance an iPad, every time
> he switches the device, the token obviously does not match anymore and
> he has to login by the usual login form where he enters username and
> password (and where he can checkbox the autologin feature again).
>
> *Next steps for Yanel:*
> It would be great if this functionality could be plugged into the
> request pipeline of Yanel.
> An alternative is to write a Request Pipeline Filter for TOMCAT so
> that the request goes through that servlet each time.
>
> What do you propose?
>
> Cheers
> Balz
>
>
> On Mon, May 16, 2011 at 4:48 PM, Michael Wechner
> <michael.wechner at wyona.com <mailto:michael.wechner at wyona.com>> wrote:
>
> Hi Balz
>
>
> On 5/16/11 4:09 PM, basZero wrote:
>
> Hi Michael,
>
> you once mentioned that Yanel comes out of the box with an
> auto login feature?
> Can you point me to the source code? I didn't find it.
>
>
> Have a look at
>
> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
>
> and search for
>
> remember-my-login-name
>
> (also see rememberLoginNameCookie.setMaxAge(86400); // 1 day is
> 86400 seconds)
>
> (also see src/webapp/xslt/login-screen.xsl)
>
> HTH
>
> Michael
>
>
> I just want to see how it is done.
>
> Cheers
> Balz
>
>
> --
> Yanel-development mailing list Yanel-development at wyona.com
> <mailto:Yanel-development at wyona.com>
> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wyona.org/pipermail/yanel-development/attachments/20110516/23faae60/attachment.html>
More information about the Yanel-development
mailing list