Hi Michael, <div>I think it is not a good idea to store the token in the user profile. Read my consolidated thoughts about the auto-login:<br><div><br></div><div><span class="Apple-style-span" style="font-family: monospace; white-space: pre; font-size: medium; ">- In order to give a realm flexibility on HOW the autologin gets implemented, I would suggest that you can configure (per realm) an AutoLoginService (e.g. in the realms.xml) which gets called by the YanelServlet. This way you don't have to worry about all the details now (what to store where and how, etc.) because these are then up to the realm's implementation (if it wants to use Auto-Login).
- Given this design you can later introduce a DefaultAutoLoginServiceImpl class which a realm can use if they are happy with how that implementation does handle the autologin.</span></div><div><span class="Apple-style-span" style="font-family: Times; font-size: medium; "><pre id="comment_text_1">
- The AutoLoginService gets called by the YanelServlet for EACH request that is NOT BOUND to any session yet (so that equals to the first request per session).
- So the AutoLoginServive would get the Yanel Environment object (via that it has access to request, response, session, etc., --> the session must be created before the AutoLoginService gets called, it might want to store values in it).
- In general I think we need to extend the DefaultAuthenticatorImpl in Yanel so that you can "login" the user by just providing the username.</pre><pre id="comment_text_1">My points regarding the AutoLoginService:</pre>
<pre id="comment_text_1">- Define NEW COOKIE (e.g. YANEL_AUTOLOGIN, it contains userID and a TOKEN)
- Verify that the user is really not logged in yet. If logged in --> return.
- The TOKEN must be found VERY QUICKLY, we can not go through 10'000 user profiles and look for the token --> Either store it as a seperate XML (data/autologin/<tokenid>.xml , or we save in a separate index (at Zwischengas we use an internal index for that already, separated from the actual content data)
- In the TOKEN DATA file (retrieved from token XML or Index), we get the userid for this token. It must match the userid provided from the COOKIE.
- If it matches and the token has not yet expired, we do the login for this user WITHOUT password.</pre><pre id="comment_text_1"><br></pre><pre id="comment_text_1">I currently wonder whether we really have to renew the TOKEN in the Autologin-Cookie, we could also keep it (like the Yanel-Cookie). What do you think?</pre>
<pre id="comment_text_1">Cheers
Balz</pre></span><br><div class="gmail_quote">On Tue, May 17, 2011 at 7:31 AM, <span dir="ltr"><<a href="mailto:baszero@gmail.com">baszero@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#FFFFFF"><div>hi michael </div><div><br></div><div>i would rather store it in the user profile xml and not in the meta property. </div><div><br></div><div>cheers<br><br><div><br></div>_____________________<div>
CTO / <span>Zwischengas AG</span></div><div><a href="http://www.zwischengas.com" target="_blank">www.zwischengas.com</a></div><div><br></div><div>Sent via iPhone</div></div><div><div></div><div class="h5"><div><br>On 16.05.2011, at 23:04, Michael Wechner <<a href="mailto:michael.wechner@wyona.com" target="_blank">michael.wechner@wyona.com</a>> wrote:<br>
<br></div><div></div><blockquote type="cite"><div>
Hi Balz<br>
<br>
On 5/16/11 5:06 PM, basZero wrote:
<blockquote type="cite">Hi Michael,
<div><br>
</div>
<div>as just discussed, what I meant by "auto-login" is not just
pre-filling the username field in the login form.</div>
</blockquote>
<br>
sorry, right, I misunderstood<br>
<blockquote type="cite">
<div>By "auto-login", I mean the following:</div>
<div><br>
</div>
<div>- the user accesses ANY page within my realm</div>
<div>- at every request it is verified whether the user is logged
in (means: getIdentity() != null ?)</div>
<div>- if there is no identity available, the request is checked
for the autologin cookie</div>
<div>- if there is no autologin cookie, proceed as usual (= user
remains anonymous)</div>
<div>- if there IS an autologin cookie, the user gets
authenticated automatically (without seeing any form or the need
of pressing a submit button) and the user is logged in.</div>
</blockquote>
<br>
sounds good also from a peformance/scalability point of view, except
it's unclear to me where<br>
we should save the tokens persistently and how to clean them if they
have expired.<br>
<br>
I guess we could save them together with the user profile, e.g.<br>
<br>
getRealm().getIdentityManager().getUserManager().getUser("baszero").setProperty("autologin-token",
TOKEN-ID);<br>
<br>
WDYT?<br>
<br>
Thanks<br>
<br>
Michael<br>
<br>
<blockquote type="cite">
<div><br>
</div>
<div><b>Implementation:</b></div>
<div>The standard way of how this usually gets implemented is as
follows:</div>
<div>- The cookie contains USERID, TOKEN</div>
<div>- After every successful authentication, a new TOKEN gets
created and stored in the COOKIE (for the next time). The realm
also stores the new token for this user (so that it can be
verified the next time).</div>
<div>- How to do the authentication: the token from the cookie
must match the last stored token for this user. if it matches,
the user gets logged in without the need of the password.</div>
<div><br>
</div>
<div>A normal side effect of this implementation is: </div>
<div>- if the user uses a web browser and for instance an iPad,
every time he switches the device, the token obviously does not
match anymore and he has to login by the usual login form where
he enters username and password (and where he can checkbox the
autologin feature again).</div>
<div><br>
</div>
<div><b>Next steps for Yanel:</b></div>
<div>It would be great if this functionality could be plugged into
the request pipeline of Yanel.</div>
<div>An alternative is to write a Request Pipeline Filter for
TOMCAT so that the request goes through that servlet each time.</div>
<div><br>
</div>
<div>What do you propose?</div>
<div><br>
</div>
<div>Cheers</div>
<div>Balz</div>
<div><br>
</div>
<div><br>
<div class="gmail_quote">On Mon, May 16, 2011 at 4:48 PM,
Michael Wechner <span dir="ltr"><<a href="mailto:michael.wechner@wyona.com" target="_blank"></a><a href="mailto:michael.wechner@wyona.com" target="_blank">michael.wechner@wyona.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">Hi Balz
<div><br>
<br>
On 5/16/11 4:09 PM, basZero wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
Hi Michael,<br>
<br>
you once mentioned that Yanel comes out of the box with
an auto login feature?<br>
Can you point me to the source code? I didn't find it.<br>
</blockquote>
<br>
</div>
Have a look at<br>
<br>
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java<br>
<br>
and search for<br>
<br>
remember-my-login-name<br>
<br>
(also see rememberLoginNameCookie.setMaxAge(86400); // 1 day
is 86400 seconds)<br>
<br>
(also see src/webapp/xslt/login-screen.xsl)<br>
<br>
HTH<br>
<br>
Michael
<div>
<div><br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<br>
I just want to see how it is done.<br>
<br>
Cheers<br>
Balz<br>
</blockquote>
<br>
</div>
</div>
<font color="#888888">
-- <br>
Yanel-development mailing list <a href="mailto:Yanel-development@wyona.com" target="_blank"></a><a href="mailto:Yanel-development@wyona.com" target="_blank">Yanel-development@wyona.com</a><br>
<a href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development" target="_blank"></a><a href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development" target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a><br>
</font></blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></blockquote><blockquote type="cite"><div><span>-- </span><br><span>Yanel-development mailing list <a href="mailto:Yanel-development@wyona.com" target="_blank"></a><a href="mailto:Yanel-development@wyona.com" target="_blank">Yanel-development@wyona.com</a></span><br>
<span><a href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development" target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a></span></div></blockquote></div></div></div></blockquote>
</div><br></div></div>