<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 5/17/11 11:46 AM, basZero wrote:
<blockquote
cite="mid:BANLkTik-QhtgaFf9wXyKE1Bmvv7faa6+Ww@mail.gmail.com"
type="cite">Thanks Michael,
<div>I will check it this afternoon.</div>
<div><br>
</div>
<div>Another use case we mentioned: "Logout".</div>
<div>What is the best way to logout? Currently I am using a simple
trick: The "Logout" is a simple hyperlink pointing to our start
page by adding the URL parameter "?<span
class="Apple-style-span" style="font-family: Monaco;
font-size: 11px;">yanel.usecase=logout</span>"</div>
</blockquote>
<br>
me too ;-) whereas also see YanelServlet#doLogout()<br>
<blockquote
cite="mid:BANLkTik-QhtgaFf9wXyKE1Bmvv7faa6+Ww@mail.gmail.com"
type="cite">
<div><br>
</div>
<div>If that is the correct approach of how to logout, we should
extend the code to:</div>
<div>- if autologin is in general enabled for that yanel
installation, the autologin cookie must be set to be expired, or
it should get deleted completely.</div>
</blockquote>
<br>
I have already added within YanelServlet such a method call<br>
<br>
AutoLogin.removeCookie(...)<br>
<br>
HTH<br>
<br>
Michael<br>
<blockquote
cite="mid:BANLkTik-QhtgaFf9wXyKE1Bmvv7faa6+Ww@mail.gmail.com"
type="cite">
<div><br>
</div>
<div>What do you think?<br>
</div>
</blockquote>
<br>
I have already added <br>
<blockquote
cite="mid:BANLkTik-QhtgaFf9wXyKE1Bmvv7faa6+Ww@mail.gmail.com"
type="cite">
<div><br>
Cheers</div>
<div>Balz<br>
<br>
<div class="gmail_quote">On Tue, May 17, 2011 at 11:34 AM,
Michael Wechner <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:michael.wechner@wyona.com">michael.wechner@wyona.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"> Hi Balz<br>
<br>
As we have discussed offline I have now added the relevant
calls and utility class:<br>
<br>
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java
<div class="im"><br>
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java<br>
</div>
src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java<br>
<br>
whereas just as the class DefaultWebAuthenticatorImpl is
using the utility class AutoLogin,<br>
you can use this utility class within your custom code and
as long as you don't pass the form parameter "auto-login"
(e.g. used by src/webapp/xslt/login-screen.xsl) the
DefaultWebAuthenticatorImpl will ignore it.<br>
<br>
The code does not do much yet and the AutoLogin class
methods needs to be refined (in particular the
setCookie(...) method), but maybe you can test if this
integrates well with your custom code and if so,<br>
then I think it should be generic enough and easy
integratable.<br>
<br>
Let me know and the we can start the actual
implementation.<br>
<br>
Thanks<br>
<font color="#888888"> <br>
Michael</font>
<div>
<div class="h5"><br>
<br>
On 5/17/11 8:15 AM, basZero wrote:
<blockquote type="cite">Hi Michael,
<div>I think it is not a good idea to store the
token in the user profile. Read my consolidated
thoughts about the auto-login:<br>
<div><br>
</div>
<div><span style="font-family: monospace;
white-space: pre-wrap; font-size: medium;">-
In order<br>
to give a realm flexibility on HOW the
autologin gets<br>
implemented, I would suggest that you can
configure (per<br>
realm) an AutoLoginService (e.g. in the
realms.xml) which<br>
gets called by the YanelServlet. This way you
don't have to<br>
worry about all the details now (what to store
where and<br>
how, etc.) because these are then up to the
realm's<br>
implementation (if it wants to use
Auto-Login).<br>
<br>
- Given this design you can later introduce a<br>
DefaultAutoLoginServiceImpl class which a
realm can use if<br>
they are happy with how that implementation
does handle the<br>
autologin.</span></div>
<div><span style="font-family: Times; font-size:
medium;">
<pre>- The AutoLoginService gets called by the YanelServlet for EACH request that is NOT BOUND to any session yet (so that equals to the first request per session).
- So the AutoLoginServive would get the Yanel Environment object (via that it has access to request, response, session, etc., --> the session must be created before the AutoLoginService gets called, it might want to store values in it).
- In general I think we need to extend the DefaultAuthenticatorImpl in Yanel so that you can "login" the user by just providing the username.</pre>
<pre>My points regarding the AutoLoginService:</pre>
<pre>- Define NEW COOKIE (e.g. YANEL_AUTOLOGIN, it contains userID and a TOKEN)
- Verify that the user is really not logged in yet. If logged in --> return.
- The TOKEN must be found VERY QUICKLY, we can not go through 10'000 user profiles and look for the token --> Either store it as a seperate XML (data/autologin/<tokenid>.xml , or we save in a separate index (at Zwischengas we use an internal index for that already, separated from the actual content data)
- In the TOKEN DATA file (retrieved from token XML or Index), we get the userid for this token. It must match the userid provided from the COOKIE.
- If it matches and the token has not yet expired, we do the login for this user WITHOUT password.</pre>
<pre>I currently wonder whether we really have to renew the TOKEN in the Autologin-Cookie, we could also keep it (like the Yanel-Cookie). What do you think?</pre>
<pre>Cheers
Balz</pre>
</span><br>
<div class="gmail_quote">On Tue, May 17, 2011 at
7:31 AM, <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:baszero@gmail.com"
target="_blank">baszero@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:
0pt 0pt 0pt 0.8ex; border-left: 1px solid
rgb(204, 204, 204); padding-left: 1ex;">
<div bgcolor="#FFFFFF">
<div>hi michael </div>
<div><br>
</div>
<div>i would rather store it in the user
profile xml and not in the meta
property. </div>
<div><br>
</div>
<div>cheers<br>
<br>
<div><br>
</div>
_____________________
<div> CTO / <span>Zwischengas AG</span></div>
<div><a moz-do-not-send="true"
href="http://www.zwischengas.com"
target="_blank">www.zwischengas.com</a></div>
<div><br>
</div>
<div>Sent via iPhone</div>
</div>
<div>
<div>
<div><br>
On 16.05.2011, at 23:04, Michael
Wechner <<a
moz-do-not-send="true"
href="mailto:michael.wechner@wyona.com"
target="_blank">michael.wechner@wyona.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div> Hi Balz<br>
<br>
On 5/16/11 5:06 PM, basZero wrote:
<blockquote type="cite">Hi
Michael,
<div><br>
</div>
<div>as just discussed, what I
meant by "auto-login" is not
just pre-filling the username
field in the login form.</div>
</blockquote>
<br>
sorry, right, I misunderstood<br>
<blockquote type="cite">
<div>By "auto-login", I mean the
following:</div>
<div><br>
</div>
<div>- the user accesses ANY
page within my realm</div>
<div>- at every request it is
verified whether the user is
logged in (means:
getIdentity() != null ?)</div>
<div>- if there is no identity
available, the request is
checked for the autologin
cookie</div>
<div>- if there is no autologin
cookie, proceed as usual (=
user remains anonymous)</div>
<div>- if there IS an autologin
cookie, the user gets
authenticated automatically
(without seeing any form or
the need of pressing a submit
button) and the user is logged
in.</div>
</blockquote>
<br>
sounds good also from a
peformance/scalability point of
view, except it's unclear to me
where<br>
we should save the tokens
persistently and how to clean them
if they have expired.<br>
<br>
I guess we could save them
together with the user profile,
e.g.<br>
<br>
getRealm().getIdentityManager().getUserManager().getUser("baszero").setProperty("autologin-token",
TOKEN-ID);<br>
<br>
WDYT?<br>
<br>
Thanks<br>
<br>
Michael<br>
<br>
<blockquote type="cite">
<div><br>
</div>
<div><b>Implementation:</b></div>
<div>The standard way of how
this usually gets implemented
is as follows:</div>
<div>- The cookie contains
USERID, TOKEN</div>
<div>- After every successful
authentication, a new TOKEN
gets created and stored in the
COOKIE (for the next time).
The realm also stores the new
token for this user (so that
it can be verified the next
time).</div>
<div>- How to do the
authentication: the token from
the cookie must match the last
stored token for this user. if
it matches, the user gets
logged in without the need of
the password.</div>
<div><br>
</div>
<div>A normal side effect of
this implementation is: </div>
<div>- if the user uses a web
browser and for instance an
iPad, every time he switches
the device, the token
obviously does not match
anymore and he has to login by
the usual login form where he
enters username and password
(and where he can checkbox the
autologin feature again).</div>
<div><br>
</div>
<div><b>Next steps for Yanel:</b></div>
<div>It would be great if this
functionality could be plugged
into the request pipeline of
Yanel.</div>
<div>An alternative is to write
a Request Pipeline Filter for
TOMCAT so that the request
goes through that servlet each
time.</div>
<div><br>
</div>
<div>What do you propose?</div>
<div><br>
</div>
<div>Cheers</div>
<div>Balz</div>
<div><br>
</div>
<div><br>
<div class="gmail_quote">On
Mon, May 16, 2011 at 4:48
PM, Michael Wechner <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:michael.wechner@wyona.com"
target="_blank">michael.wechner@wyona.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px
solid rgb(204, 204, 204);
padding-left: 1ex;">Hi
Balz
<div><br>
<br>
On 5/16/11 4:09 PM,
basZero wrote:<br>
<blockquote
class="gmail_quote"
style="margin: 0pt 0pt
0pt 0.8ex;
border-left: 1px solid
rgb(204, 204, 204);
padding-left: 1ex;">
Hi Michael,<br>
<br>
you once mentioned
that Yanel comes out
of the box with an
auto login feature?<br>
Can you point me to
the source code? I
didn't find it.<br>
</blockquote>
<br>
</div>
Have a look at<br>
<br>
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java<br>
<br>
and search for<br>
<br>
remember-my-login-name<br>
<br>
(also see
rememberLoginNameCookie.setMaxAge(86400);
// 1 day is 86400 seconds)<br>
<br>
(also see
src/webapp/xslt/login-screen.xsl)<br>
<br>
HTH<br>
<br>
Michael
<div>
<div><br>
<blockquote
class="gmail_quote"
style="margin: 0pt
0pt 0pt 0.8ex;
border-left: 1px
solid rgb(204, 204,
204); padding-left:
1ex;"> <br>
I just want to see
how it is done.<br>
<br>
Cheers<br>
Balz<br>
</blockquote>
<br>
</div>
</div>
<font color="#888888"> --
<br>
Yanel-development
mailing list <a
moz-do-not-send="true"
href="mailto:Yanel-development@wyona.com" target="_blank">Yanel-development@wyona.com</a><br>
<a
moz-do-not-send="true"
href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development"
target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a><br>
</font></blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</blockquote>
<blockquote type="cite">
<div><span>-- </span><br>
<span>Yanel-development mailing
list <a moz-do-not-send="true"
href="mailto:Yanel-development@wyona.com" target="_blank">Yanel-development@wyona.com</a></span><br>
<span><a moz-do-not-send="true"
href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development"
target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a></span></div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
<br>
--<br>
Yanel-development mailing list <a moz-do-not-send="true"
href="mailto:Yanel-development@wyona.com">Yanel-development@wyona.com</a><br>
<a moz-do-not-send="true"
href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development"
target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>