<html><body bgcolor="#FFFFFF"><div>hi michael </div><div><br></div><div>i would rather store it in the user profile xml and not in the meta property. </div><div><br></div><div>cheers<br><br><div><br></div>_____________________<div>CTO / <span class="Apple-style-span" style="-webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); ">Zwischengas AG</span></div><div><a href="http://www.zwischengas.com">www.zwischengas.com</a></div><div><br></div><div>Sent via iPhone</div></div><div><br>On 16.05.2011, at 23:04, Michael Wechner <<a href="mailto:michael.wechner@wyona.com">michael.wechner@wyona.com</a>> wrote:<br><br></div><div></div><blockquote type="cite"><div>
Hi Balz<br>
<br>
On 5/16/11 5:06 PM, basZero wrote:
<blockquote cite="mid:BANLkTin--_+PxkUC6_GzGTff8beqCWuRAw@mail.gmail.com" type="cite">Hi Michael,
<div><br>
</div>
<div>as just discussed, what I meant by "auto-login" is not just
pre-filling the username field in the login form.</div>
</blockquote>
<br>
sorry, right, I misunderstood<br>
<blockquote cite="mid:BANLkTin--_+PxkUC6_GzGTff8beqCWuRAw@mail.gmail.com" type="cite">
<div>By "auto-login", I mean the following:</div>
<div><br>
</div>
<div>- the user accesses ANY page within my realm</div>
<div>- at every request it is verified whether the user is logged
in (means: getIdentity() != null ?)</div>
<div>- if there is no identity available, the request is checked
for the autologin cookie</div>
<div>- if there is no autologin cookie, proceed as usual (= user
remains anonymous)</div>
<div>- if there IS an autologin cookie, the user gets
authenticated automatically (without seeing any form or the need
of pressing a submit button) and the user is logged in.</div>
</blockquote>
<br>
sounds good also from a peformance/scalability point of view, except
it's unclear to me where<br>
we should save the tokens persistently and how to clean them if they
have expired.<br>
<br>
I guess we could save them together with the user profile, e.g.<br>
<br>
getRealm().getIdentityManager().getUserManager().getUser("baszero").setProperty("autologin-token",
TOKEN-ID);<br>
<br>
WDYT?<br>
<br>
Thanks<br>
<br>
Michael<br>
<br>
<blockquote cite="mid:BANLkTin--_+PxkUC6_GzGTff8beqCWuRAw@mail.gmail.com" type="cite">
<div><br>
</div>
<div><b>Implementation:</b></div>
<div>The standard way of how this usually gets implemented is as
follows:</div>
<div>- The cookie contains USERID, TOKEN</div>
<div>- After every successful authentication, a new TOKEN gets
created and stored in the COOKIE (for the next time). The realm
also stores the new token for this user (so that it can be
verified the next time).</div>
<div>- How to do the authentication: the token from the cookie
must match the last stored token for this user. if it matches,
the user gets logged in without the need of the password.</div>
<div><br>
</div>
<div>A normal side effect of this implementation is: </div>
<div>- if the user uses a web browser and for instance an iPad,
every time he switches the device, the token obviously does not
match anymore and he has to login by the usual login form where
he enters username and password (and where he can checkbox the
autologin feature again).</div>
<div><br>
</div>
<div><b>Next steps for Yanel:</b></div>
<div>It would be great if this functionality could be plugged into
the request pipeline of Yanel.</div>
<div>An alternative is to write a Request Pipeline Filter for
TOMCAT so that the request goes through that servlet each time.</div>
<div><br>
</div>
<div>What do you propose?</div>
<div><br>
</div>
<div>Cheers</div>
<div>Balz</div>
<div><br>
</div>
<div><br>
<div class="gmail_quote">On Mon, May 16, 2011 at 4:48 PM,
Michael Wechner <span dir="ltr"><<a moz-do-not-send="true" href="mailto:michael.wechner@wyona.com"><a href="mailto:michael.wechner@wyona.com">michael.wechner@wyona.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">Hi Balz
<div class="im"><br>
<br>
On 5/16/11 4:09 PM, basZero wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
Hi Michael,<br>
<br>
you once mentioned that Yanel comes out of the box with
an auto login feature?<br>
Can you point me to the source code? I didn't find it.<br>
</blockquote>
<br>
</div>
Have a look at<br>
<br>
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java<br>
<br>
and search for<br>
<br>
remember-my-login-name<br>
<br>
(also see rememberLoginNameCookie.setMaxAge(86400); // 1 day
is 86400 seconds)<br>
<br>
(also see src/webapp/xslt/login-screen.xsl)<br>
<br>
HTH<br>
<br>
Michael
<div>
<div class="h5"><br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt
0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<br>
I just want to see how it is done.<br>
<br>
Cheers<br>
Balz<br>
</blockquote>
<br>
</div>
</div>
<font color="#888888">
-- <br>
Yanel-development mailing list <a moz-do-not-send="true" href="mailto:Yanel-development@wyona.com" target="_blank"><a href="mailto:Yanel-development@wyona.com">Yanel-development@wyona.com</a></a><br>
<a moz-do-not-send="true" href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development" target="_blank"><a href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a></a><br>
</font></blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></blockquote><blockquote type="cite"><div><span>-- </span><br><span>Yanel-development mailing list <a href="mailto:Yanel-development@wyona.com"><a href="mailto:Yanel-development@wyona.com">Yanel-development@wyona.com</a></a></span><br><span><a href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a></span></div></blockquote></body></html>