Thanks Michael,<div>I will check it this afternoon.</div><div><br></div><div>Another use case we mentioned: "Logout".</div><div>What is the best way to logout? Currently I am using a simple trick: The "Logout" is a simple hyperlink pointing to our start page by adding the URL parameter "?<span class="Apple-style-span" style="font-family: Monaco; font-size: 11px; ">yanel.usecase=logout</span>"</div>
<div><br></div><div>If that is the correct approach of how to logout, we should extend the code to:</div><div>- if autologin is in general enabled for that yanel installation, the autologin cookie must be set to be expired, or it should get deleted completely.</div>
<div><br></div><div>What do you think?<br><br>Cheers</div><div>Balz<br><br><div class="gmail_quote">On Tue, May 17, 2011 at 11:34 AM, Michael Wechner <span dir="ltr"><<a href="mailto:michael.wechner@wyona.com">michael.wechner@wyona.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#ffffff" text="#000000">
Hi Balz<br>
<br>
As we have discussed offline I have now added the relevant calls and
utility class:<br>
<br>
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java<div class="im"><br>
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java<br></div>
src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java<br>
<br>
whereas just as the class DefaultWebAuthenticatorImpl is using the
utility class AutoLogin,<br>
you can use this utility class within your custom code and as long
as you don't pass the form parameter "auto-login" (e.g. used by
src/webapp/xslt/login-screen.xsl) the DefaultWebAuthenticatorImpl
will ignore it.<br>
<br>
The code does not do much yet and the AutoLogin class methods needs
to be refined (in particular the setCookie(...) method), but maybe
you can test if this integrates well with your custom code and if
so,<br>
then I think it should be generic enough and easy integratable.<br>
<br>
Let me know and the we can start the actual implementation.<br>
<br>
Thanks<br><font color="#888888">
<br>
Michael</font><div><div></div><div class="h5"><br>
<br>
On 5/17/11 8:15 AM, basZero wrote:
<blockquote type="cite">Hi Michael,
<div>I think it is not a good idea to store the token in the user
profile. Read my consolidated thoughts about the auto-login:<br>
<div><br>
</div>
<div><span style="font-family:monospace;white-space:pre-wrap;font-size:medium">- In order
to give a realm flexibility on HOW the autologin gets
implemented, I would suggest that you can configure (per
realm) an AutoLoginService (e.g. in the realms.xml) which
gets called by the YanelServlet. This way you don't have to
worry about all the details now (what to store where and
how, etc.) because these are then up to the realm's
implementation (if it wants to use Auto-Login).<br>
- Given this design you can later introduce a
DefaultAutoLoginServiceImpl class which a realm can use if
they are happy with how that implementation does handle the
autologin.</span></div>
<div><span style="font-family:Times;font-size:medium">
<pre>- The AutoLoginService gets called by the YanelServlet for EACH request that is NOT BOUND to any session yet (so that equals to the first request per session).
- So the AutoLoginServive would get the Yanel Environment object (via that it has access to request, response, session, etc., --> the session must be created before the AutoLoginService gets called, it might want to store values in it).
- In general I think we need to extend the DefaultAuthenticatorImpl in Yanel so that you can "login" the user by just providing the username.</pre>
<pre>My points regarding the AutoLoginService:</pre>
<pre>- Define NEW COOKIE (e.g. YANEL_AUTOLOGIN, it contains userID and a TOKEN)
- Verify that the user is really not logged in yet. If logged in --> return.
- The TOKEN must be found VERY QUICKLY, we can not go through 10'000 user profiles and look for the token --> Either store it as a seperate XML (data/autologin/<tokenid>.xml , or we save in a separate index (at Zwischengas we use an internal index for that already, separated from the actual content data)
- In the TOKEN DATA file (retrieved from token XML or Index), we get the userid for this token. It must match the userid provided from the COOKIE.
- If it matches and the token has not yet expired, we do the login for this user WITHOUT password.</pre>
<pre></pre>
<pre>I currently wonder whether we really have to renew the TOKEN in the Autologin-Cookie, we could also keep it (like the Yanel-Cookie). What do you think?</pre>
<pre>Cheers
Balz</pre>
</span><br>
<div class="gmail_quote">On Tue, May 17, 2011 at 7:31 AM, <span dir="ltr"><<a href="mailto:baszero@gmail.com" target="_blank">baszero@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div>hi michael </div>
<div><br>
</div>
<div>i would rather store it in the user profile xml and
not in the meta property. </div>
<div><br>
</div>
<div>cheers<br>
<br>
<div><br>
</div>
_____________________
<div>
CTO / <span>Zwischengas AG</span></div>
<div><a href="http://www.zwischengas.com" target="_blank">www.zwischengas.com</a></div>
<div><br>
</div>
<div>Sent via iPhone</div>
</div>
<div>
<div>
<div><br>
On 16.05.2011, at 23:04, Michael Wechner <<a href="mailto:michael.wechner@wyona.com" target="_blank">michael.wechner@wyona.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div> Hi Balz<br>
<br>
On 5/16/11 5:06 PM, basZero wrote:
<blockquote type="cite">Hi Michael,
<div><br>
</div>
<div>as just discussed, what I meant by
"auto-login" is not just pre-filling the
username field in the login form.</div>
</blockquote>
<br>
sorry, right, I misunderstood<br>
<blockquote type="cite">
<div>By "auto-login", I mean the following:</div>
<div><br>
</div>
<div>- the user accesses ANY page within my
realm</div>
<div>- at every request it is verified whether
the user is logged in (means: getIdentity()
!= null ?)</div>
<div>- if there is no identity available, the
request is checked for the autologin cookie</div>
<div>- if there is no autologin cookie,
proceed as usual (= user remains anonymous)</div>
<div>- if there IS an autologin cookie, the
user gets authenticated automatically
(without seeing any form or the need of
pressing a submit button) and the user is
logged in.</div>
</blockquote>
<br>
sounds good also from a peformance/scalability
point of view, except it's unclear to me where<br>
we should save the tokens persistently and how
to clean them if they have expired.<br>
<br>
I guess we could save them together with the
user profile, e.g.<br>
<br>
getRealm().getIdentityManager().getUserManager().getUser("baszero").setProperty("autologin-token",
TOKEN-ID);<br>
<br>
WDYT?<br>
<br>
Thanks<br>
<br>
Michael<br>
<br>
<blockquote type="cite">
<div><br>
</div>
<div><b>Implementation:</b></div>
<div>The standard way of how this usually gets
implemented is as follows:</div>
<div>- The cookie contains USERID, TOKEN</div>
<div>- After every successful authentication,
a new TOKEN gets created and stored in the
COOKIE (for the next time). The realm also
stores the new token for this user (so that
it can be verified the next time).</div>
<div>- How to do the authentication: the token
from the cookie must match the last stored
token for this user. if it matches, the user
gets logged in without the need of the
password.</div>
<div><br>
</div>
<div>A normal side effect of this
implementation is: </div>
<div>- if the user uses a web browser and for
instance an iPad, every time he switches the
device, the token obviously does not match
anymore and he has to login by the usual
login form where he enters username and
password (and where he can checkbox the
autologin feature again).</div>
<div><br>
</div>
<div><b>Next steps for Yanel:</b></div>
<div>It would be great if this functionality
could be plugged into the request pipeline
of Yanel.</div>
<div>An alternative is to write a Request
Pipeline Filter for TOMCAT so that the
request goes through that servlet each time.</div>
<div><br>
</div>
<div>What do you propose?</div>
<div><br>
</div>
<div>Cheers</div>
<div>Balz</div>
<div><br>
</div>
<div><br>
<div class="gmail_quote">On Mon, May 16,
2011 at 4:48 PM, Michael Wechner <span dir="ltr"><<a href="mailto:michael.wechner@wyona.com" target="_blank">michael.wechner@wyona.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">Hi Balz
<div><br>
<br>
On 5/16/11 4:09 PM, basZero wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex"> Hi
Michael,<br>
<br>
you once mentioned that Yanel comes
out of the box with an auto login
feature?<br>
Can you point me to the source code?
I didn't find it.<br>
</blockquote>
<br>
</div>
Have a look at<br>
<br>
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java<br>
<br>
and search for<br>
<br>
remember-my-login-name<br>
<br>
(also see
rememberLoginNameCookie.setMaxAge(86400);
// 1 day is 86400 seconds)<br>
<br>
(also see
src/webapp/xslt/login-screen.xsl)<br>
<br>
HTH<br>
<br>
Michael
<div>
<div><br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex"> <br>
I just want to see how it is done.<br>
<br>
Cheers<br>
Balz<br>
</blockquote>
<br>
</div>
</div>
<font color="#888888"> -- <br>
Yanel-development mailing list <a href="mailto:Yanel-development@wyona.com" target="_blank">Yanel-development@wyona.com</a><br>
<a href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development" target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a><br>
</font></blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</blockquote>
<blockquote type="cite">
<div><span>-- </span><br>
<span>Yanel-development mailing list <a href="mailto:Yanel-development@wyona.com" target="_blank">Yanel-development@wyona.com</a></span><br>
<span><a href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development" target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a></span></div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div></div></div>
<br>--<br>
Yanel-development mailing list <a href="mailto:Yanel-development@wyona.com">Yanel-development@wyona.com</a><br>
<a href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development" target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a><br></blockquote></div><br></div>