<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Balz<br>
<br>
Thanks for your notes/comments.<br>
<br>
I will continue to clean it up shortly and will also add a global
config property in<br>
order to disable/enable auto login (similar to the propery of the
mobile device detection).<br>
<br>
But I think the highest priority is to figure out why the cookies do
not get deleted properly.<br>
(maybe debugging the response with ngrep might help)<br>
<br>
Thanks<br>
<br>
Michael<br>
<br>
Am 06.07.11 14:03, schrieb basZero:
<blockquote
cite="mid:CAOXzDSG8tXG7R6knO2kFX_h+JgjDGxrHM-XC2TYxcbEkmOaqKg@mail.gmail.com"
type="cite">Hi Michael,
<div><br>
</div>
<div>thanks for optimizing and submitting my patch.</div>
<div>Just a few comments, minor comments...:</div>
<div><b><br>
</b></div>
<div><b>Autologin:</b></div>
<div><br>
</div>
<div>- I would replace log.warn by log.debug, if you really log
debug stuff. (e.g. line 53)</div>
<div><br>
</div>
<div>- tryAutoLogin(): a little debate on programming style :-)
now it is more difficult to quickly see, under which cases the
method returns true. In my version, the default return value is
false. One one single line you see, that it is set to true, and
you quickly see in which case. But I know, the usage of the so
called "early returns" as you seem to like, is a question of
style. Performance-wise it is no difference anymore since JDK1.5
and for me personally, one single return at the end of the
method just "reads" better.</div>
<div><br>
</div>
<div><b>YanelServlet:</b></div>
<div><br>
</div>
<div>- Also here, many log.warn() are in again which should be
log.debug() (e.g. line 241)</div>
<div><br>
</div>
<div>Cheers</div>
<div>Balz<br>
<br>
<div class="gmail_quote">
On Wed, Jul 6, 2011 at 12:10 PM, Michael Wechner <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:michael.wechner@wyona.com">michael.wechner@wyona.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"> Hi Balz<br>
<br>
Thanks again for your patch. I have slightly refactored it
(in particular the naming of methods and also logging of
the various errors):<br>
<br>
Sending
src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java<br>
Sending
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java<br>
Sending
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java<br>
Transmitting file data ...<br>
Committed revision 59197.<br>
<br>
I have noticed a couple of issues (like for example that
during logout the cookie is not deleted properly), which<br>
I will try to improve shortly.<br>
<br>
Thanks<br>
<br>
Michael
<div class="im"><br>
<br>
Am 05.07.11 16:21, schrieb basZero: </div>
<blockquote type="cite">I think you did not apply the
latest patch? on line 130 there can't be a
NullPointer...
<div>
<div class="h5">
<div>Here it is a fresh one.</div>
<div><br>
</div>
<div>Let me know whether it works.</div>
<div>Cheers</div>
<div>Balz<br>
<br>
<div class="gmail_quote"> On Tue, Jul 5, 2011 at
4:14 PM, Michael Wechner <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:michael.wechner@wyona.com"
target="_blank">michael.wechner@wyona.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:
0pt 0pt 0pt 0.8ex; border-left: 1px solid
rgb(204, 204, 204); padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"> Hi Balz<br>
<br>
I have applied your latest patch re auto
login which you have sent to me offlist),
but receive the following error:<br>
<br>
71951 2011-07-05 16:11:53,785 +0200
[http-8080-Processor22] WARN
org.wyona.yanel.servlet.YanelServlet.doAccessControl():1122
- Access denied: <a moz-do-not-send="true"
href="http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on"
target="_blank">http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on</a>
(Path of request: /en/index.html; Identity:
User ID: WORLD - Groups: ; Usecase: toolbar)<br>
71951 2011-07-05 16:11:53,785 +0200
[http-8080-Processor22] WARN
org.wyona.yanel.servlet.YanelServlet.doAccessControl():1152
- SSL does not seem to be configured!<br>
71981 2011-07-05 16:11:53,815 +0200
[http-8080-Processor22] WARN
org.wyona.security.impl.yarep.YarepUserManager.getTrueId():503
- No alias found for id 'lenya', hence
return id as true ID<br>
72028 2011-07-05 16:11:53,862 +0200
[http-8080-Processor22] WARN
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.authenticate():680
- Authentication was successful for user:
lenya<br>
72030 2011-07-05 16:11:53,864 +0200
[http-8080-Processor22] WARN
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.authenticate():681
- TODO: Add user to session listener!<br>
72030 2011-07-05 16:11:53,864 +0200
[http-8080-Processor22] WARN
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAutoLogin():610
- TODO: Implement auto-login<br>
72031 2011-07-05 16:11:53,865 +0200
[http-8080-Processor22] FATAL
org.wyona.yanel.servlet.security.impl.AutoLogin.enableAutoLogin():66
- Could not enable Auto Login feature!
Exception: java.lang.NullPointerException<br>
java.lang.NullPointerException<br>
at
org.wyona.yanel.servlet.security.impl.AutoLogin.setNewCookie(AutoLogin.java:130)<br>
at
org.wyona.yanel.servlet.security.impl.AutoLogin.enableAutoLogin(AutoLogin.java:62)<br>
at
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAutoLogin(DefaultWebAuthenticatorImpl.java:613)<br>
at
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAuthenticate(DefaultWebAuthenticatorImpl.java:106)<br>
at
org.wyona.yanel.servlet.YanelServlet.doAuthenticate(YanelServlet.java:1393)<br>
at
org.wyona.yanel.servlet.YanelServlet.doAccessControl(YanelServlet.java:1158)<br>
at
org.wyona.yanel.servlet.YanelServlet.service(YanelServlet.java:253)<br>
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)<br>
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)<br>
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)<br>
at
org.wyona.yanel.servlet.communication.YanelFilter.doFilter(YanelFilter.java:37)<br>
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)<br>
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)<br>
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)<br>
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)<br>
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)<br>
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)<br>
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)<br>
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)<br>
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)<br>
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)<br>
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)<br>
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)<br>
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)<br>
at java.lang.Thread.run(Thread.java:680)<br>
72032 2011-07-05 16:11:53,866 +0200
[http-8080-Processor22] WARN
org.wyona.yanel.servlet.YanelServlet.doAccessControl():1178
- Authentication was successful for user:
lenya<br>
72032 2011-07-05 16:11:53,866 +0200
[http-8080-Processor22] WARN
org.wyona.yanel.servlet.YanelServlet.doAccessControl():1187
- Redirect to original request: <a
moz-do-not-send="true"
href="http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on"
target="_blank">http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on</a><br>
<br>
Can you send me another version or maybe we
can have a look at it together tomorrow
morning?<br>
<br>
WDYT?<br>
<br>
Thanks<br>
<br>
Michael<br>
<br>
Am 17.05.11 16:15, schrieb basZero:
<div>
<div>
<blockquote type="cite">Hi Michael,
<div><br>
</div>
<div>can you verify this patch for the
AutoLogin class?</div>
<div>If it is ok, you can submit it.</div>
<div>How do we proceed?</div>
<div><br>
</div>
<div>I have implemented the AutoLogin
call after successful login, so the
rest must be done in the
YanelServlet and the Authenticator.</div>
<div><br>
</div>
<div>Cheers</div>
<div>Balz<br>
<br>
<div class="gmail_quote">On Tue, May
17, 2011 at 11:34 AM, Michael
Wechner <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:michael.wechner@wyona.com"
target="_blank">michael.wechner@wyona.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid
rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff"
text="#000000"> Hi Balz<br>
<br>
As we have discussed offline I
have now added the relevant
calls and utility class:<br>
<br>
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java
<div><br>
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java<br>
</div>
src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java<br>
<br>
whereas just as the class
DefaultWebAuthenticatorImpl is
using the utility class
AutoLogin,<br>
you can use this utility class
within your custom code and as
long as you don't pass the
form parameter "auto-login"
(e.g. used by
src/webapp/xslt/login-screen.xsl)
the
DefaultWebAuthenticatorImpl
will ignore it.<br>
<br>
The code does not do much yet
and the AutoLogin class
methods needs to be refined
(in particular the
setCookie(...) method), but
maybe you can test if this
integrates well with your
custom code and if so,<br>
then I think it should be
generic enough and easy
integratable.<br>
<br>
Let me know and the we can
start the actual
implementation.<br>
<br>
Thanks<br>
<font color="#888888"> <br>
Michael</font>
<div>
<div><br>
<br>
On 5/17/11 8:15 AM,
basZero wrote:
<blockquote type="cite">Hi
Michael,
<div>I think it is not a
good idea to store the
token in the user
profile. Read my
consolidated thoughts
about the auto-login:<br>
<div><br>
</div>
<div><span
style="font-family:
monospace;
white-space:
pre-wrap;
font-size:
medium;">-<br>
<br>
In order<br>
<br>
<br>
<br>
to give a realm
flexibility on<br>
HOW the<br>
<br>
autologin gets<br>
<br>
<br>
<br>
implemented, I
would suggest<br>
that you can<br>
<br>
configure (per<br>
<br>
<br>
<br>
realm) an
AutoLoginService
(e.g.<br>
in the<br>
<br>
realms.xml) which<br>
<br>
<br>
<br>
gets called by the
YanelServlet.<br>
This way you<br>
<br>
don't have to<br>
<br>
<br>
<br>
worry about all
the details now<br>
(what to store<br>
<br>
where and<br>
<br>
<br>
<br>
how, etc.) because
these are<br>
then up to the<br>
<br>
realm's<br>
<br>
<br>
<br>
implementation (if
it wants to<br>
use<br>
<br>
Auto-Login).<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
- Given this
design you can<br>
later introduce a<br>
<br>
<br>
<br>
DefaultAutoLoginServiceImpl<br>
class which a<br>
<br>
realm can use if<br>
<br>
<br>
<br>
they are happy
with how that<br>
implementation<br>
<br>
does handle the<br>
<br>
<br>
<br>
autologin.</span></div>
<div><span
style="font-family:
Times; font-size:
medium;">
<pre>- The AutoLoginService gets called by the YanelServlet for EACH request that is NOT BOUND to any session yet (so that equals to the first request per session).
- So the AutoLoginServive would get the Yanel Environment object (via that it has access to request, response, session, etc., --> the session must be created before the AutoLoginService gets called, it might want to store values in it).
- In general I think we need to extend the DefaultAuthenticatorImpl in Yanel so that you can "login" the user by just providing the username.</pre>
<pre>My points regarding the AutoLoginService:</pre>
<pre>- Define NEW COOKIE (e.g. YANEL_AUTOLOGIN, it contains userID and a TOKEN)
- Verify that the user is really not logged in yet. If logged in --> return.
- The TOKEN must be found VERY QUICKLY, we can not go through 10'000 user profiles and look for the token --> Either store it as a seperate XML (data/autologin/<tokenid>.xml , or we save in a separate index (at Zwischengas we use an internal index for that already, separated from the actual content data)
- In the TOKEN DATA file (retrieved from token XML or Index), we get the userid for this token. It must match the userid provided from the COOKIE.
- If it matches and the token has not yet expired, we do the login for this user WITHOUT password.</pre>
<pre>I currently wonder whether we really have to renew the TOKEN in the Autologin-Cookie, we could also keep it (like the Yanel-Cookie). What do you think?</pre>
<pre>Cheers
Balz</pre>
</span><br>
<div
class="gmail_quote">On
Tue, May 17, 2011
at 7:31 AM, <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:baszero@gmail.com" target="_blank">baszero@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:
0pt 0pt 0pt
0.8ex;
border-left: 1px
solid rgb(204,
204, 204);
padding-left:
1ex;">
<div
bgcolor="#FFFFFF">
<div>hi
michael </div>
<div><br>
</div>
<div>i would
rather store
it in the user
profile xml
and not in the
meta
property. </div>
<div><br>
</div>
<div>cheers<br>
<br>
<div><br>
</div>
_____________________
<div> CTO / <span>Zwischengas
AG</span></div>
<div><a
moz-do-not-send="true"
href="http://www.zwischengas.com" target="_blank">www.zwischengas.com</a></div>
<div><br>
</div>
<div>Sent via
iPhone</div>
</div>
<div>
<div>
<div><br>
On 16.05.2011,
at 23:04,
Michael
Wechner <<a
moz-do-not-send="true" href="mailto:michael.wechner@wyona.com"
target="_blank">michael.wechner@wyona.com</a>>
wrote:<br>
<br>
</div>
<blockquote
type="cite">
<div> Hi Balz<br>
<br>
On 5/16/11
5:06 PM,
basZero wrote:
<blockquote
type="cite">Hi
Michael,
<div><br>
</div>
<div>as just
discussed,
what I meant
by
"auto-login"
is not just
pre-filling
the username
field in the
login form.</div>
</blockquote>
<br>
sorry, right,
I
misunderstood<br>
<blockquote
type="cite">
<div>By
"auto-login",
I mean the
following:</div>
<div><br>
</div>
<div>- the
user accesses
ANY page
within my
realm</div>
<div>- at
every request
it is verified
whether the
user is logged
in (means:
getIdentity()
!= null ?)</div>
<div>- if
there is no
identity
available, the
request is
checked for
the autologin
cookie</div>
<div>- if
there is no
autologin
cookie,
proceed as
usual (= user
remains
anonymous)</div>
<div>- if
there IS an
autologin
cookie, the
user gets
authenticated
automatically
(without
seeing any
form or the
need of
pressing a
submit button)
and the user
is logged in.</div>
</blockquote>
<br>
sounds good
also from a
peformance/scalability
point of view,
except it's
unclear to me
where<br>
we should save
the tokens
persistently
and how to
clean them if
they have
expired.<br>
<br>
I guess we
could save
them together
with the user
profile, e.g.<br>
<br>
getRealm().getIdentityManager().getUserManager().getUser("baszero").setProperty("autologin-token",
TOKEN-ID);<br>
<br>
WDYT?<br>
<br>
Thanks<br>
<br>
Michael<br>
<br>
<blockquote
type="cite">
<div><br>
</div>
<div><b>Implementation:</b></div>
<div>The
standard way
of how this
usually gets
implemented is
as follows:</div>
<div>- The
cookie
contains
USERID, TOKEN</div>
<div>- After
every
successful
authentication,
a new TOKEN
gets created
and stored in
the COOKIE
(for the next
time). The
realm also
stores the new
token for this
user (so that
it can be
verified the
next time).</div>
<div>- How to
do the
authentication:
the token from
the cookie
must match the
last stored
token for this
user. if it
matches, the
user gets
logged in
without the
need of the
password.</div>
<div><br>
</div>
<div>A normal
side effect of
this
implementation
is: </div>
<div>- if the
user uses a
web browser
and for
instance an
iPad, every
time he
switches the
device, the
token
obviously does
not match
anymore and he
has to login
by the usual
login form
where he
enters
username and
password (and
where he can
checkbox the
autologin
feature
again).</div>
<div><br>
</div>
<div><b>Next
steps for
Yanel:</b></div>
<div>It would
be great if
this
functionality
could be
plugged into
the request
pipeline of
Yanel.</div>
<div>An
alternative is
to write a
Request
Pipeline
Filter for
TOMCAT so that
the request
goes through
that servlet
each time.</div>
<div><br>
</div>
<div>What do
you propose?</div>
<div><br>
</div>
<div>Cheers</div>
<div>Balz</div>
<div><br>
</div>
<div><br>
<div
class="gmail_quote">On
Mon, May 16,
2011 at 4:48
PM, Michael
Wechner <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:michael.wechner@wyona.com"
target="_blank">michael.wechner@wyona.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:
0pt 0pt 0pt
0.8ex;
border-left:
1px solid
rgb(204, 204,
204);
padding-left:
1ex;">Hi Balz
<div><br>
<br>
On 5/16/11
4:09 PM,
basZero wrote:<br>
<blockquote
class="gmail_quote"
style="margin:
0pt 0pt 0pt
0.8ex;
border-left:
1px solid
rgb(204, 204,
204);
padding-left:
1ex;"> Hi
Michael,<br>
<br>
you once
mentioned that
Yanel comes
out of the box
with an auto
login feature?<br>
Can you point
me to the
source code? I
didn't find
it.<br>
</blockquote>
<br>
</div>
Have a look at<br>
<br>
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java<br>
<br>
and search for<br>
<br>
remember-my-login-name<br>
<br>
(also see
rememberLoginNameCookie.setMaxAge(86400);
// 1 day is
86400 seconds)<br>
<br>
(also see
src/webapp/xslt/login-screen.xsl)<br>
<br>
HTH<br>
<br>
Michael
<div>
<div><br>
<blockquote
class="gmail_quote"
style="margin:
0pt 0pt 0pt
0.8ex;
border-left:
1px solid
rgb(204, 204,
204);
padding-left:
1ex;"> <br>
I just want to
see how it is
done.<br>
<br>
Cheers<br>
Balz<br>
</blockquote>
<br>
</div>
</div>
<font
color="#888888">
-- <br>
Yanel-development
mailing list <a
moz-do-not-send="true" href="mailto:Yanel-development@wyona.com"
target="_blank">Yanel-development@wyona.com</a><br>
<a
moz-do-not-send="true"
href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development"
target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a><br>
</font></blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</blockquote>
<blockquote
type="cite">
<div><span>--
</span><br>
<span>Yanel-development
mailing list <a
moz-do-not-send="true" href="mailto:Yanel-development@wyona.com"
target="_blank">Yanel-development@wyona.com</a></span><br>
<span><a
moz-do-not-send="true"
href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development"
target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a></span></div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
<br>
--<br>
Yanel-development mailing list <a
moz-do-not-send="true"
href="mailto:Yanel-development@wyona.com"
target="_blank">Yanel-development@wyona.com</a><br>
<a moz-do-not-send="true"
href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development"
target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
<br>
--<br>
Yanel-development mailing list <a
moz-do-not-send="true"
href="mailto:Yanel-development@wyona.com"
target="_blank">Yanel-development@wyona.com</a><br>
<a moz-do-not-send="true"
href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development"
target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
<br>
--<br>
Yanel-development mailing list <a moz-do-not-send="true"
href="mailto:Yanel-development@wyona.com">Yanel-development@wyona.com</a><br>
<a moz-do-not-send="true"
href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development"
target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>