[Yanel-dev] Auto Login
Michael Wechner
michael.wechner at wyona.com
Tue May 17 09:38:05 CEST 2011
Hi Balz
On 5/17/11 7:31 AM, baszero at gmail.com wrote:
> hi michael
>
> i would rather store it in the user profile xml and not in the meta
> property.
that depends on the implementation. The below is just the API how it
would be called within the authenticator.
Cheers
Michael
>
> cheers
>
>
> _____________________
> CTO / Zwischengas AG
> www.zwischengas.com <http://www.zwischengas.com>
>
> Sent via iPhone
>
> On 16.05.2011, at 23:04, Michael Wechner <michael.wechner at wyona.com
> <mailto:michael.wechner at wyona.com>> wrote:
>
>> Hi Balz
>>
>> On 5/16/11 5:06 PM, basZero wrote:
>>> Hi Michael,
>>>
>>> as just discussed, what I meant by "auto-login" is not just
>>> pre-filling the username field in the login form.
>>
>> sorry, right, I misunderstood
>>> By "auto-login", I mean the following:
>>>
>>> - the user accesses ANY page within my realm
>>> - at every request it is verified whether the user is logged in
>>> (means: getIdentity() != null ?)
>>> - if there is no identity available, the request is checked for the
>>> autologin cookie
>>> - if there is no autologin cookie, proceed as usual (= user remains
>>> anonymous)
>>> - if there IS an autologin cookie, the user gets authenticated
>>> automatically (without seeing any form or the need of pressing a
>>> submit button) and the user is logged in.
>>
>> sounds good also from a peformance/scalability point of view, except
>> it's unclear to me where
>> we should save the tokens persistently and how to clean them if they
>> have expired.
>>
>> I guess we could save them together with the user profile, e.g.
>>
>> getRealm().getIdentityManager().getUserManager().getUser("baszero").setProperty("autologin-token",
>> TOKEN-ID);
>>
>> WDYT?
>>
>> Thanks
>>
>> Michael
>>
>>>
>>> *Implementation:*
>>> The standard way of how this usually gets implemented is as follows:
>>> - The cookie contains USERID, TOKEN
>>> - After every successful authentication, a new TOKEN gets created
>>> and stored in the COOKIE (for the next time). The realm also stores
>>> the new token for this user (so that it can be verified the next time).
>>> - How to do the authentication: the token from the cookie must match
>>> the last stored token for this user. if it matches, the user gets
>>> logged in without the need of the password.
>>>
>>> A normal side effect of this implementation is:
>>> - if the user uses a web browser and for instance an iPad, every
>>> time he switches the device, the token obviously does not match
>>> anymore and he has to login by the usual login form where he enters
>>> username and password (and where he can checkbox the autologin
>>> feature again).
>>>
>>> *Next steps for Yanel:*
>>> It would be great if this functionality could be plugged into the
>>> request pipeline of Yanel.
>>> An alternative is to write a Request Pipeline Filter for TOMCAT so
>>> that the request goes through that servlet each time.
>>>
>>> What do you propose?
>>>
>>> Cheers
>>> Balz
>>>
>>>
>>> On Mon, May 16, 2011 at 4:48 PM, Michael Wechner
>>> <michael.wechner at wyona.com <mailto:michael.wechner at wyona.com>> wrote:
>>>
>>> Hi Balz
>>>
>>>
>>> On 5/16/11 4:09 PM, basZero wrote:
>>>
>>> Hi Michael,
>>>
>>> you once mentioned that Yanel comes out of the box with an
>>> auto login feature?
>>> Can you point me to the source code? I didn't find it.
>>>
>>>
>>> Have a look at
>>>
>>> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
>>>
>>> and search for
>>>
>>> remember-my-login-name
>>>
>>> (also see rememberLoginNameCookie.setMaxAge(86400); // 1 day is
>>> 86400 seconds)
>>>
>>> (also see src/webapp/xslt/login-screen.xsl)
>>>
>>> HTH
>>>
>>> Michael
>>>
>>>
>>> I just want to see how it is done.
>>>
>>> Cheers
>>> Balz
>>>
>>>
>>> --
>>> Yanel-development mailing list Yanel-development at wyona.com
>>> <mailto:Yanel-development at wyona.com>
>>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>>
>>>
>>
>> --
>> Yanel-development mailing list Yanel-development at wyona.com
>> <mailto:Yanel-development at wyona.com>
>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wyona.org/pipermail/yanel-development/attachments/20110517/ba1b0db1/attachment.html>
More information about the Yanel-development
mailing list