[Yanel-dev] Auto Login
basZero
baszero at gmail.com
Tue May 17 16:15:56 CEST 2011
Hi Michael,
can you verify this patch for the AutoLogin class?
If it is ok, you can submit it.
How do we proceed?
I have implemented the AutoLogin call after successful login, so the rest
must be done in the YanelServlet and the Authenticator.
Cheers
Balz
On Tue, May 17, 2011 at 11:34 AM, Michael Wechner <michael.wechner at wyona.com
> wrote:
> Hi Balz
>
> As we have discussed offline I have now added the relevant calls and
> utility class:
>
> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java
>
>
> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
> src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java
>
> whereas just as the class DefaultWebAuthenticatorImpl is using the utility
> class AutoLogin,
> you can use this utility class within your custom code and as long as you
> don't pass the form parameter "auto-login" (e.g. used by
> src/webapp/xslt/login-screen.xsl) the DefaultWebAuthenticatorImpl will
> ignore it.
>
> The code does not do much yet and the AutoLogin class methods needs to be
> refined (in particular the setCookie(...) method), but maybe you can test if
> this integrates well with your custom code and if so,
> then I think it should be generic enough and easy integratable.
>
> Let me know and the we can start the actual implementation.
>
> Thanks
>
> Michael
>
>
> On 5/17/11 8:15 AM, basZero wrote:
>
> Hi Michael,
> I think it is not a good idea to store the token in the user profile. Read
> my consolidated thoughts about the auto-login:
>
> - In order to give a realm flexibility on HOW the autologin gets
> implemented, I would suggest that you can configure (per realm) an
> AutoLoginService (e.g. in the realms.xml) which gets called by the
> YanelServlet. This way you don't have to worry about all the details now
> (what to store where and how, etc.) because these are then up to the realm's
> implementation (if it wants to use Auto-Login).
> - Given this design you can later introduce a DefaultAutoLoginServiceImpl
> class which a realm can use if they are happy with how that implementation
> does handle the autologin.
>
> - The AutoLoginService gets called by the YanelServlet for EACH request that is NOT BOUND to any session yet (so that equals to the first request per session).
> - So the AutoLoginServive would get the Yanel Environment object (via that it has access to request, response, session, etc., --> the session must be created before the AutoLoginService gets called, it might want to store values in it).
> - In general I think we need to extend the DefaultAuthenticatorImpl in Yanel so that you can "login" the user by just providing the username.
>
> My points regarding the AutoLoginService:
>
> - Define NEW COOKIE (e.g. YANEL_AUTOLOGIN, it contains userID and a TOKEN)
> - Verify that the user is really not logged in yet. If logged in --> return.
> - The TOKEN must be found VERY QUICKLY, we can not go through 10'000 user profiles and look for the token --> Either store it as a seperate XML (data/autologin/<tokenid>.xml , or we save in a separate index (at Zwischengas we use an internal index for that already, separated from the actual content data)
> - In the TOKEN DATA file (retrieved from token XML or Index), we get the userid for this token. It must match the userid provided from the COOKIE.
> - If it matches and the token has not yet expired, we do the login for this user WITHOUT password.
>
> I currently wonder whether we really have to renew the TOKEN in the Autologin-Cookie, we could also keep it (like the Yanel-Cookie). What do you think?
>
> Cheers
> Balz
>
>
> On Tue, May 17, 2011 at 7:31 AM, <baszero at gmail.com> wrote:
>
>> hi michael
>>
>> i would rather store it in the user profile xml and not in the meta
>> property.
>>
>> cheers
>>
>>
>> _____________________
>> CTO / Zwischengas AG
>> www.zwischengas.com
>>
>> Sent via iPhone
>>
>> On 16.05.2011, at 23:04, Michael Wechner <michael.wechner at wyona.com>
>> wrote:
>>
>> Hi Balz
>>
>> On 5/16/11 5:06 PM, basZero wrote:
>>
>> Hi Michael,
>>
>> as just discussed, what I meant by "auto-login" is not just pre-filling
>> the username field in the login form.
>>
>>
>> sorry, right, I misunderstood
>>
>> By "auto-login", I mean the following:
>>
>> - the user accesses ANY page within my realm
>> - at every request it is verified whether the user is logged in (means:
>> getIdentity() != null ?)
>> - if there is no identity available, the request is checked for the
>> autologin cookie
>> - if there is no autologin cookie, proceed as usual (= user remains
>> anonymous)
>> - if there IS an autologin cookie, the user gets authenticated
>> automatically (without seeing any form or the need of pressing a submit
>> button) and the user is logged in.
>>
>>
>> sounds good also from a peformance/scalability point of view, except it's
>> unclear to me where
>> we should save the tokens persistently and how to clean them if they have
>> expired.
>>
>> I guess we could save them together with the user profile, e.g.
>>
>> getRealm().getIdentityManager().getUserManager().getUser("baszero").setProperty("autologin-token",
>> TOKEN-ID);
>>
>> WDYT?
>>
>> Thanks
>>
>> Michael
>>
>>
>> *Implementation:*
>> The standard way of how this usually gets implemented is as follows:
>> - The cookie contains USERID, TOKEN
>> - After every successful authentication, a new TOKEN gets created and
>> stored in the COOKIE (for the next time). The realm also stores the new
>> token for this user (so that it can be verified the next time).
>> - How to do the authentication: the token from the cookie must match the
>> last stored token for this user. if it matches, the user gets logged in
>> without the need of the password.
>>
>> A normal side effect of this implementation is:
>> - if the user uses a web browser and for instance an iPad, every time he
>> switches the device, the token obviously does not match anymore and he has
>> to login by the usual login form where he enters username and password (and
>> where he can checkbox the autologin feature again).
>>
>> *Next steps for Yanel:*
>> It would be great if this functionality could be plugged into the request
>> pipeline of Yanel.
>> An alternative is to write a Request Pipeline Filter for TOMCAT so that
>> the request goes through that servlet each time.
>>
>> What do you propose?
>>
>> Cheers
>> Balz
>>
>>
>> On Mon, May 16, 2011 at 4:48 PM, Michael Wechner <
>> michael.wechner at wyona.com> wrote:
>>
>>> Hi Balz
>>>
>>>
>>> On 5/16/11 4:09 PM, basZero wrote:
>>>
>>>> Hi Michael,
>>>>
>>>> you once mentioned that Yanel comes out of the box with an auto login
>>>> feature?
>>>> Can you point me to the source code? I didn't find it.
>>>>
>>>
>>> Have a look at
>>>
>>>
>>> src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
>>>
>>> and search for
>>>
>>> remember-my-login-name
>>>
>>> (also see rememberLoginNameCookie.setMaxAge(86400); // 1 day is 86400
>>> seconds)
>>>
>>> (also see src/webapp/xslt/login-screen.xsl)
>>>
>>> HTH
>>>
>>> Michael
>>>
>>>
>>>> I just want to see how it is done.
>>>>
>>>> Cheers
>>>> Balz
>>>>
>>>
>>> --
>>> Yanel-development mailing list Yanel-development at wyona.com
>>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>>
>>
>>
>> --
>> Yanel-development mailing list Yanel-development at wyona.com
>> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>>
>>
>
>
> --
> Yanel-development mailing list Yanel-development at wyona.com
> http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wyona.org/pipermail/yanel-development/attachments/20110517/aa8f18b9/attachment.html>
-------------- next part --------------
Index: src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java
===================================================================
--- src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java (revision 58311)
+++ src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java (working copy)
@@ -1,31 +1,64 @@
package org.wyona.yanel.servlet.security.impl;
+import java.util.UUID;
+
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.log4j.Logger;
+
/**
* Utility class in order to support auto login
*/
public class AutoLogin {
+ private static Logger log = Logger.getLogger(AutoLogin.class);
+ private static final String COOKIE_NAME = "YANELAUTOLOGIN";
+ private static final String SEP = "___";
+
/**
* Set cookie
*/
public static Cookie setCookie(String username, HttpServletRequest request, HttpServletResponse response) {
- return null;
+ Cookie result = null;
+ if (username != null) {
+ String token = UUID.randomUUID().toString();
+ Cookie cookie = new Cookie(COOKIE_NAME,token+SEP+username);
+ cookie.setMaxAge(Integer.MAX_VALUE);
+ response.addCookie(cookie);
+ result = cookie;
+ }
+ return result;
}
/**
* Get cookie
*/
public static Cookie getCookie(HttpServletRequest request) {
- return null;
+ Cookie result = null;
+ try {
+ for (Cookie c : request.getCookies()) {
+ if (c.getName().equals(COOKIE_NAME)) {
+ result = c;
+ break;
+ }
+ }
+
+ } catch (Exception e) {
+ log.error("Error in retrieving cookie from request");
+ log.error(e,e);
+ }
+
+ return result;
}
/**
* Remove cookie
*/
- public static void removeCookie(HttpServletRequest request) {
+ public static void removeCookie(HttpServletRequest request, HttpServletResponse response) {
+ Cookie cookie = new Cookie(COOKIE_NAME,"");
+ cookie.setMaxAge(Integer.MAX_VALUE);
+ response.addCookie(cookie);
}
}
More information about the Yanel-development
mailing list