[Yanel-dev] Auto Login

Michael Wechner michael.wechner at wyona.com
Tue May 17 09:38:05 CEST 2011


Hi Balz

On 5/17/11 7:31 AM, baszero at gmail.com wrote:
> hi michael
>
> i would rather store it in the user profile xml and not in the meta 
> property.

that depends on the implementation. The below is just the API how it 
would be called within the authenticator.

Cheers

Michael
>
> cheers
>
>
> _____________________
> CTO / Zwischengas AG
> www.zwischengas.com <http://www.zwischengas.com>
>
> Sent via iPhone
>
> On 16.05.2011, at 23:04, Michael Wechner <michael.wechner at wyona.com 
> <mailto:michael.wechner at wyona.com>> wrote:
>
>> Hi Balz
>>
>> On 5/16/11 5:06 PM, basZero wrote:
>>> Hi Michael,
>>>
>>> as just discussed, what I meant by "auto-login" is not just 
>>> pre-filling the username field in the login form.
>>
>> sorry, right, I misunderstood
>>> By "auto-login", I mean the following:
>>>
>>> - the user accesses ANY page within my realm
>>> - at every request it is verified whether the user is logged in 
>>> (means: getIdentity() != null ?)
>>> - if there is no identity available, the request is checked for the 
>>> autologin cookie
>>> - if there is no autologin cookie, proceed as usual (= user remains 
>>> anonymous)
>>> - if there IS an autologin cookie, the user gets authenticated 
>>> automatically (without seeing any form or the need of pressing a 
>>> submit button) and the user is logged in.
>>
>> sounds good also from a peformance/scalability point of view, except 
>> it's unclear to me where
>> we should save the tokens persistently and how to clean them if they 
>> have expired.
>>
>> I guess we could save them together with the user profile, e.g.
>>
>> getRealm().getIdentityManager().getUserManager().getUser("baszero").setProperty("autologin-token", 
>> TOKEN-ID);
>>
>> WDYT?
>>
>> Thanks
>>
>> Michael
>>
>>>
>>> *Implementation:*
>>> The standard way of how this usually gets implemented is as follows:
>>> - The cookie contains USERID, TOKEN
>>> - After every successful authentication, a new TOKEN gets created 
>>> and stored in the COOKIE (for the next time). The realm also stores 
>>> the new token for this user (so that it can be verified the next time).
>>> - How to do the authentication: the token from the cookie must match 
>>> the last stored token for this user. if it matches, the user gets 
>>> logged in without the need of the password.
>>>
>>> A normal side effect of this implementation is:
>>> - if the user uses a web browser and for instance an iPad, every 
>>> time he switches the device, the token obviously does not match 
>>> anymore and he has to login by the usual login form where he enters 
>>> username and password (and where he can checkbox the autologin 
>>> feature again).
>>>
>>> *Next steps for Yanel:*
>>> It would be great if this functionality could be plugged into the 
>>> request pipeline of Yanel.
>>> An alternative is to write a Request Pipeline Filter for TOMCAT so 
>>> that the request goes through that servlet each time.
>>>
>>> What do you propose?
>>>
>>> Cheers
>>> Balz
>>>
>>>
>>> On Mon, May 16, 2011 at 4:48 PM, Michael Wechner 
>>> <michael.wechner at wyona.com <mailto:michael.wechner at wyona.com>> wrote:
>>>
>>>     Hi Balz
>>>
>>>
>>>     On 5/16/11 4:09 PM, basZero wrote:
>>>
>>>         Hi Michael,
>>>
>>>         you once mentioned that Yanel comes out of the box with an
>>>         auto login feature?
>>>         Can you point me to the source code? I didn't find it.
>>>
>>>
>>>     Have a look at
>>>
>>>     src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
>>>
>>>     and search for
>>>
>>>     remember-my-login-name
>>>
>>>     (also see rememberLoginNameCookie.setMaxAge(86400); // 1 day is
>>>     86400 seconds)
>>>
>>>     (also see src/webapp/xslt/login-screen.xsl)
>>>
>>>     HTH
>>>
>>>     Michael
>>>
>>>
>>>         I just want to see how it is done.
>>>
>>>         Cheers
>>>         Balz
>>>
>>>
>>>     -- 
>>>     Yanel-development mailing list Yanel-development at wyona.com
>>>     <mailto:Yanel-development at wyona.com>
>>>     http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>>
>>>
>>
>> -- 
>> Yanel-development mailing list Yanel-development at wyona.com 
>> <mailto:Yanel-development at wyona.com>
>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wyona.org/pipermail/yanel-development/attachments/20110517/ba1b0db1/attachment.html>


More information about the Yanel-development mailing list