Hi Michael,<div><br></div><div>thanks for optimizing and submitting my patch.</div><div>Just a few comments, minor comments...:</div><div><b><br></b></div><div><b>Autologin:</b></div><div><br></div><div>- I would replace log.warn by log.debug, if you really log debug stuff. (e.g. line 53)</div>
<div><br></div><div>- tryAutoLogin(): a little debate on programming style :-) now it is more difficult to quickly see, under which cases the method returns true. In my version, the default return value is false. One one single line you see, that it is set to true, and you quickly see in which case. But I know, the usage of the so called "early returns" as you seem to like, is a question of style. Performance-wise it is no difference anymore since JDK1.5 and for me personally, one single return at the end of the method just "reads" better.</div>
<div><br></div><div><b>YanelServlet:</b></div><div><br></div><div>- Also here, many log.warn() are in again which should be log.debug() (e.g. line 241)</div><div><br></div><div>Cheers</div><div>Balz<br><br><div class="gmail_quote">
On Wed, Jul 6, 2011 at 12:10 PM, Michael Wechner <span dir="ltr"><<a href="mailto:michael.wechner@wyona.com">michael.wechner@wyona.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<u></u>
<div bgcolor="#ffffff" text="#000000">
Hi Balz<br>
<br>
Thanks again for your patch. I have slightly refactored it (in
particular the naming of methods and also logging of the various
errors):<br>
<br>
Sending
src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java<br>
Sending
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java<br>
Sending
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java<br>
Transmitting file data ...<br>
Committed revision 59197.<br>
<br>
I have noticed a couple of issues (like for example that during
logout the cookie is not deleted properly), which<br>
I will try to improve shortly.<br>
<br>
Thanks<br>
<br>
Michael<div class="im"><br>
<br>
Am 05.07.11 16:21, schrieb basZero:
</div><blockquote type="cite">I think you did not apply the latest patch? on line
130 there can't be a NullPointer...
<div><div></div><div class="h5"><div>Here it is a fresh one.</div>
<div><br>
</div>
<div>Let me know whether it works.</div>
<div>Cheers</div>
<div>Balz<br>
<br>
<div class="gmail_quote">
On Tue, Jul 5, 2011 at 4:14 PM, Michael Wechner <span dir="ltr"><<a href="mailto:michael.wechner@wyona.com" target="_blank">michael.wechner@wyona.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000"> Hi Balz<br>
<br>
I have applied your latest patch re auto login which you
have sent to me offlist), but receive the following error:<br>
<br>
71951 2011-07-05 16:11:53,785 +0200
[http-8080-Processor22] WARN
org.wyona.yanel.servlet.YanelServlet.doAccessControl():1122
- Access denied: <a href="http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on" target="_blank">http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on</a>
(Path of request: /en/index.html; Identity: User ID: WORLD
- Groups: ; Usecase: toolbar)<br>
71951 2011-07-05 16:11:53,785 +0200
[http-8080-Processor22] WARN
org.wyona.yanel.servlet.YanelServlet.doAccessControl():1152
- SSL does not seem to be configured!<br>
71981 2011-07-05 16:11:53,815 +0200
[http-8080-Processor22] WARN
org.wyona.security.impl.yarep.YarepUserManager.getTrueId():503
- No alias found for id 'lenya', hence return id as true
ID<br>
72028 2011-07-05 16:11:53,862 +0200
[http-8080-Processor22] WARN
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.authenticate():680
- Authentication was successful for user: lenya<br>
72030 2011-07-05 16:11:53,864 +0200
[http-8080-Processor22] WARN
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.authenticate():681
- TODO: Add user to session listener!<br>
72030 2011-07-05 16:11:53,864 +0200
[http-8080-Processor22] WARN
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAutoLogin():610
- TODO: Implement auto-login<br>
72031 2011-07-05 16:11:53,865 +0200
[http-8080-Processor22] FATAL
org.wyona.yanel.servlet.security.impl.AutoLogin.enableAutoLogin():66
- Could not enable Auto Login feature! Exception:
java.lang.NullPointerException<br>
java.lang.NullPointerException<br>
at
org.wyona.yanel.servlet.security.impl.AutoLogin.setNewCookie(AutoLogin.java:130)<br>
at
org.wyona.yanel.servlet.security.impl.AutoLogin.enableAutoLogin(AutoLogin.java:62)<br>
at
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAutoLogin(DefaultWebAuthenticatorImpl.java:613)<br>
at
org.wyona.yanel.servlet.security.impl.DefaultWebAuthenticatorImpl.doAuthenticate(DefaultWebAuthenticatorImpl.java:106)<br>
at
org.wyona.yanel.servlet.YanelServlet.doAuthenticate(YanelServlet.java:1393)<br>
at
org.wyona.yanel.servlet.YanelServlet.doAccessControl(YanelServlet.java:1158)<br>
at
org.wyona.yanel.servlet.YanelServlet.service(YanelServlet.java:253)<br>
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)<br>
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)<br>
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)<br>
at
org.wyona.yanel.servlet.communication.YanelFilter.doFilter(YanelFilter.java:37)<br>
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)<br>
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)<br>
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)<br>
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)<br>
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)<br>
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)<br>
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)<br>
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)<br>
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)<br>
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)<br>
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)<br>
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)<br>
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)<br>
at java.lang.Thread.run(Thread.java:680)<br>
72032 2011-07-05 16:11:53,866 +0200
[http-8080-Processor22] WARN
org.wyona.yanel.servlet.YanelServlet.doAccessControl():1178
- Authentication was successful for user: lenya<br>
72032 2011-07-05 16:11:53,866 +0200
[http-8080-Processor22] WARN
org.wyona.yanel.servlet.YanelServlet.doAccessControl():1187
- Redirect to original request:
<a href="http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on" target="_blank">http://127.0.0.1:8080/yanel/from-scratch-realm/en/index.html?yanel.toolbar=on</a><br>
<br>
Can you send me another version or maybe we can have a
look at it together tomorrow morning?<br>
<br>
WDYT?<br>
<br>
Thanks<br>
<br>
Michael<br>
<br>
Am 17.05.11 16:15, schrieb basZero:
<div>
<div>
<blockquote type="cite">Hi Michael,
<div><br>
</div>
<div>can you verify this patch for the AutoLogin
class?</div>
<div>If it is ok, you can submit it.</div>
<div>How do we proceed?</div>
<div><br>
</div>
<div>I have implemented the AutoLogin call after
successful login, so the rest must be done in the
YanelServlet and the Authenticator.</div>
<div><br>
</div>
<div>Cheers</div>
<div>Balz<br>
<br>
<div class="gmail_quote">On Tue, May 17, 2011 at
11:34 AM, Michael Wechner <span dir="ltr"><<a href="mailto:michael.wechner@wyona.com" target="_blank">michael.wechner@wyona.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000"> Hi Balz<br>
<br>
As we have discussed offline I have now
added the relevant calls and utility class:<br>
<br>
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/AutoLogin.java
<div><br>
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java<br>
</div>
src/webapp/src/java/org/wyona/yanel/servlet/YanelServlet.java<br>
<br>
whereas just as the class
DefaultWebAuthenticatorImpl is using the
utility class AutoLogin,<br>
you can use this utility class within your
custom code and as long as you don't pass
the form parameter "auto-login" (e.g. used
by src/webapp/xslt/login-screen.xsl) the
DefaultWebAuthenticatorImpl will ignore it.<br>
<br>
The code does not do much yet and the
AutoLogin class methods needs to be refined
(in particular the setCookie(...) method),
but maybe you can test if this integrates
well with your custom code and if so,<br>
then I think it should be generic enough and
easy integratable.<br>
<br>
Let me know and the we can start the actual
implementation.<br>
<br>
Thanks<br>
<font color="#888888"> <br>
Michael</font>
<div>
<div><br>
<br>
On 5/17/11 8:15 AM, basZero wrote:
<blockquote type="cite">Hi Michael,
<div>I think it is not a good idea to
store the token in the user profile.
Read my consolidated thoughts about
the auto-login:<br>
<div><br>
</div>
<div><span style="font-family:monospace;white-space:pre-wrap;font-size:medium">-<br>
In order<br>
<br>
to give a realm flexibility on
HOW the<br>
autologin gets<br>
<br>
implemented, I would suggest
that you can<br>
configure (per<br>
<br>
realm) an AutoLoginService (e.g.
in the<br>
realms.xml) which<br>
<br>
gets called by the YanelServlet.
This way you<br>
don't have to<br>
<br>
worry about all the details now
(what to store<br>
where and<br>
<br>
how, etc.) because these are
then up to the<br>
realm's<br>
<br>
implementation (if it wants to
use<br>
Auto-Login).<br>
<br>
<br>
<br>
- Given this design you can
later introduce a<br>
<br>
DefaultAutoLoginServiceImpl
class which a<br>
realm can use if<br>
<br>
they are happy with how that
implementation<br>
does handle the<br>
<br>
autologin.</span></div>
<div><span style="font-family:Times;font-size:medium">
<pre>- The AutoLoginService gets called by the YanelServlet for EACH request that is NOT BOUND to any session yet (so that equals to the first request per session).
- So the AutoLoginServive would get the Yanel Environment object (via that it has access to request, response, session, etc., --> the session must be created before the AutoLoginService gets called, it might want to store values in it).
- In general I think we need to extend the DefaultAuthenticatorImpl in Yanel so that you can "login" the user by just providing the username.</pre>
<pre>My points regarding the AutoLoginService:</pre>
<pre>- Define NEW COOKIE (e.g. YANEL_AUTOLOGIN, it contains userID and a TOKEN)
- Verify that the user is really not logged in yet. If logged in --> return.
- The TOKEN must be found VERY QUICKLY, we can not go through 10'000 user profiles and look for the token --> Either store it as a seperate XML (data/autologin/<tokenid>.xml , or we save in a separate index (at Zwischengas we use an internal index for that already, separated from the actual content data)
- In the TOKEN DATA file (retrieved from token XML or Index), we get the userid for this token. It must match the userid provided from the COOKIE.
- If it matches and the token has not yet expired, we do the login for this user WITHOUT password.</pre>
<pre>I currently wonder whether we really have to renew the TOKEN in the Autologin-Cookie, we could also keep it (like the Yanel-Cookie). What do you think?</pre>
<pre>Cheers
Balz</pre>
</span><br>
<div class="gmail_quote">On Tue,
May 17, 2011 at 7:31 AM, <span dir="ltr"><<a href="mailto:baszero@gmail.com" target="_blank">baszero@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div>hi michael </div>
<div><br>
</div>
<div>i would rather store it
in the user profile xml
and not in the meta
property. </div>
<div><br>
</div>
<div>cheers<br>
<br>
<div><br>
</div>
_____________________
<div> CTO / <span>Zwischengas
AG</span></div>
<div><a href="http://www.zwischengas.com" target="_blank">www.zwischengas.com</a></div>
<div><br>
</div>
<div>Sent via iPhone</div>
</div>
<div>
<div>
<div><br>
On 16.05.2011, at
23:04, Michael Wechner
<<a href="mailto:michael.wechner@wyona.com" target="_blank">michael.wechner@wyona.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div> Hi Balz<br>
<br>
On 5/16/11 5:06 PM,
basZero wrote:
<blockquote type="cite">Hi
Michael,
<div><br>
</div>
<div>as just
discussed, what
I meant by
"auto-login" is
not just
pre-filling the
username field
in the login
form.</div>
</blockquote>
<br>
sorry, right, I
misunderstood<br>
<blockquote type="cite">
<div>By
"auto-login", I
mean the
following:</div>
<div><br>
</div>
<div>- the user
accesses ANY
page within my
realm</div>
<div>- at every
request it is
verified whether
the user is
logged in
(means:
getIdentity() !=
null ?)</div>
<div>- if there is
no identity
available, the
request is
checked for the
autologin cookie</div>
<div>- if there is
no autologin
cookie, proceed
as usual (= user
remains
anonymous)</div>
<div>- if there IS
an autologin
cookie, the user
gets
authenticated
automatically
(without seeing
any form or the
need of pressing
a submit button)
and the user is
logged in.</div>
</blockquote>
<br>
sounds good also
from a
peformance/scalability
point of view,
except it's unclear
to me where<br>
we should save the
tokens persistently
and how to clean
them if they have
expired.<br>
<br>
I guess we could
save them together
with the user
profile, e.g.<br>
<br>
getRealm().getIdentityManager().getUserManager().getUser("baszero").setProperty("autologin-token",
TOKEN-ID);<br>
<br>
WDYT?<br>
<br>
Thanks<br>
<br>
Michael<br>
<br>
<blockquote type="cite">
<div><br>
</div>
<div><b>Implementation:</b></div>
<div>The standard
way of how this
usually gets
implemented is
as follows:</div>
<div>- The cookie
contains USERID,
TOKEN</div>
<div>- After every
successful
authentication,
a new TOKEN gets
created and
stored in the
COOKIE (for the
next time). The
realm also
stores the new
token for this
user (so that it
can be verified
the next time).</div>
<div>- How to do
the
authentication:
the token from
the cookie must
match the last
stored token for
this user. if it
matches, the
user gets logged
in without the
need of the
password.</div>
<div><br>
</div>
<div>A normal side
effect of this
implementation
is: </div>
<div>- if the user
uses a web
browser and for
instance an
iPad, every time
he switches the
device, the
token obviously
does not match
anymore and he
has to login by
the usual login
form where he
enters username
and password
(and where he
can checkbox the
autologin
feature again).</div>
<div><br>
</div>
<div><b>Next steps
for Yanel:</b></div>
<div>It would be
great if this
functionality
could be plugged
into the request
pipeline of
Yanel.</div>
<div>An
alternative is
to write a
Request Pipeline
Filter for
TOMCAT so that
the request goes
through that
servlet each
time.</div>
<div><br>
</div>
<div>What do you
propose?</div>
<div><br>
</div>
<div>Cheers</div>
<div>Balz</div>
<div><br>
</div>
<div><br>
<div class="gmail_quote">On
Mon, May 16,
2011 at 4:48
PM, Michael
Wechner <span dir="ltr"><<a href="mailto:michael.wechner@wyona.com" target="_blank">michael.wechner@wyona.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">Hi Balz
<div><br>
<br>
On 5/16/11
4:09 PM,
basZero wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex"> Hi
Michael,<br>
<br>
you once
mentioned that
Yanel comes
out of the box
with an auto
login feature?<br>
Can you point
me to the
source code? I
didn't find
it.<br>
</blockquote>
<br>
</div>
Have a look at<br>
<br>
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java<br>
<br>
and search for<br>
<br>
remember-my-login-name<br>
<br>
(also see
rememberLoginNameCookie.setMaxAge(86400);
// 1 day is
86400 seconds)<br>
<br>
(also see
src/webapp/xslt/login-screen.xsl)<br>
<br>
HTH<br>
<br>
Michael
<div>
<div><br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex"> <br>
I just want to
see how it is
done.<br>
<br>
Cheers<br>
Balz<br>
</blockquote>
<br>
</div>
</div>
<font color="#888888">
-- <br>
Yanel-development
mailing list <a href="mailto:Yanel-development@wyona.com" target="_blank">Yanel-development@wyona.com</a><br>
<a href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development" target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a><br>
</font></blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</blockquote>
<blockquote type="cite">
<div><span>-- </span><br>
<span>Yanel-development
mailing list <a href="mailto:Yanel-development@wyona.com" target="_blank">Yanel-development@wyona.com</a></span><br>
<span><a href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development" target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a></span></div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
<br>
--<br>
Yanel-development mailing list <a href="mailto:Yanel-development@wyona.com" target="_blank">Yanel-development@wyona.com</a><br>
<a href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development" target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
<br>
--<br>
Yanel-development mailing list <a href="mailto:Yanel-development@wyona.com" target="_blank">Yanel-development@wyona.com</a><br>
<a href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development" target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a><br>
</blockquote>
</div>
<br>
</div>
</div></div></blockquote>
<br>
</div>
<br>--<br>
Yanel-development mailing list <a href="mailto:Yanel-development@wyona.com">Yanel-development@wyona.com</a><br>
<a href="http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development" target="_blank">http://lists.wyona.org/cgi-bin/mailman/listinfo/yanel-development</a><br></blockquote></div><br></div>