[ http://jira.jboss.com/jira/browse/JBPORTAL-184?page=history ]
Julien Viet updated JBPORTAL-184:
---------------------------------
Summary: Remember me feature (was: The remember me feature
allows someone not to have to enter his password when he comes back on the
portal)
Description:
- remember me feature -
Login process in the portal.
Introduction
In order to have the portal play nice with J2EE security it is not possible
to use directly the JBossSX API or the JAAS API. The reasons are various :
- specific to JBoss
- does not respect the portlet specification
- only form login can be used, no client certificate authentication
would work
- does not take advantage of JBoss SSO or tomcat SSO
Therefore the login must be processed by the servlet container.
Architecture and login protocol
Login in JBoss portal follows a well defined protocol which uses
the following elements :
- org.jboss.portal.core.security.Status object : defines the status of
a user. It is stored in the http session and has the following
attributes : username, password and a boolean signedIn. When the
user is not logged in the http session does not contains this object.
When a user performs a login it contains its username and password
and the boolean signedIn is false. The signedIn value
becomes true only if the user authenticates succesfully.
- LoginServet : this servlet initiates the login protocol. It takes
a mandatory user name and password as arguments and
an optional redirect url argument.
- AuthenticationServlet : this servlet is a protected resource of the
portal web application. It means that it can be reached only by
fully authenticated users. The role of this servlet is to
terminate the login protocol.
- FormLoginServlet : this servlet intercepts is used by the servlet
container which calls it whenever the user tries to reach
the AuthenticationServlet and is not authenticated.
The protocol is described now :
1. a request is made with the URL /login?username=foo&password=bar
2. the LoginServlet process the request :
2.a it creates a status object which username, passwords, signedIn
value false and put it in the http session
2.b it redirects to the authentication servlet with the URL :
/authentication?username=foo&password=bar
3. the user browser receive the redirection and process it
4. the servlet container receives the request and see that the user is
not authenticate so it redirect internally the call to the FormLoginServlet
5. the FormLoginServlet process the request, it simply redirects to
the URL /j_security_check?j_username=foo&j_password=bar which
has a special meaning for the servlet container in the
authentication process.
6. the servlet container process the j_security_check URL :
6.a it delegates the authentication to JBossSX which delegates in turns
to JAAS LoginModule stack
6.b we suppose that the authentication is succesfull, the servlet
container delegates the request to the AuthenticationServlet
6.c the AuthenticationServlet process the request, it sets the
boolean signedIn to true on the Status object which is stored in the
http session and it optionnally redirects to the optional redirect URL
Improvements :
We want to add the remember me feature in that protocol.
The remember feature authorize a user to not perform a login
a second time when it has succesfully authenticated one time in
the past. This feature uses the cookies to store a ticket that proves
the the user identity. The integration of that feature must not bypass
the authentication protocol. When a user arrives on the site with any
URL, it must execute the login protocol transparently.
The concept used are :
The ticket :
This object is an authorization ticket. It has the following attributes :
- expiration date
- a unique hash value
- username
- password
The ticket store :
Simply stores tickets. It is possible to create tickets and check
ticket validity. It also manage old ticket garbaging.
RememberMeServletFilter :
This servlet filter is positionned on any URL that own the remember
me property. It is responsible for managing the ticket stores
cookies. When a user comes in with a ticket cookie, it uses
the ticket store to check the cookie validity and if it is valid, it uses
the username and password to initiate the login protocol with
a redirection URL positionned to the actual incoming URL.
StoreTicketFilter :
This servlet filter is put in front of the AuthenticationServlet, it means
that it will be always executed once
the user has been fully authenticated by the servlet container.
The role of this filter is to create a ticket in the store for the current
user.
This approach is non intrusive and does not need modification in the
login protocol explained before. It is also simple to remove for
people that don't want or need that feature on their portal infrastructure
was:A discussion has been initiated on the forum
JBoss Forum Reference: (was:
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3862921#3862921)
> Remember me feature
> -------------------
>
> Key: JBPORTAL-184
> URL: http://jira.jboss.com/jira/browse/JBPORTAL-184
> Project: JBoss Portal
> Type: Feature Request
> Components: Portal Core
> Versions: 2.0 Beta
> Reporter: Julien Viet
>
> Original Estimate: 1 day
> Remaining: 1 day
>
> - remember me feature -
> Login process in the portal.
> Introduction
> In order to have the portal play nice with J2EE security it is not possible
> to use directly the JBossSX API or the JAAS API. The reasons are various :
> - specific to JBoss
> - does not respect the portlet specification
> - only form login can be used, no client certificate authentication
> would work
> - does not take advantage of JBoss SSO or tomcat SSO
> Therefore the login must be processed by the servlet container.
> Architecture and login protocol
> Login in JBoss portal follows a well defined protocol which uses
> the following elements :
> - org.jboss.portal.core.security.Status object : defines the status of
> a user. It is stored in the http session and has the following
> attributes : username, password and a boolean signedIn. When the
> user is not logged in the http session does not contains this object.
> When a user performs a login it contains its username and password
> and the boolean signedIn is false. The signedIn value
> becomes true only if the user authenticates succesfully.
> - LoginServet : this servlet initiates the login protocol. It takes
> a mandatory user name and password as arguments and
> an optional redirect url argument.
> - AuthenticationServlet : this servlet is a protected resource of the
> portal web application. It means that it can be reached only by
> fully authenticated users. The role of this servlet is to
> terminate the login protocol.
> - FormLoginServlet : this servlet intercepts is used by the servlet
> container which calls it whenever the user tries to reach
> the AuthenticationServlet and is not authenticated.
> The protocol is described now :
> 1. a request is made with the URL /login?username=foo&password=bar
> 2. the LoginServlet process the request :
> 2.a it creates a status object which username, passwords, signedIn
> value false and put it in the http session
> 2.b it redirects to the authentication servlet with the URL :
> /authentication?username=foo&password=bar
> 3. the user browser receive the redirection and process it
> 4. the servlet container receives the request and see that the user is
> not authenticate so it redirect internally the call to the FormLoginServlet
> 5. the FormLoginServlet process the request, it simply redirects to
> the URL /j_security_check?j_username=foo&j_password=bar which
> has a special meaning for the servlet container in the
> authentication process.
> 6. the servlet container process the j_security_check URL :
> 6.a it delegates the authentication to JBossSX which delegates in turns
> to JAAS LoginModule stack
> 6.b we suppose that the authentication is succesfull, the servlet
> container delegates the request to the AuthenticationServlet
> 6.c the AuthenticationServlet process the request, it sets the
> boolean signedIn to true on the Status object which is stored in the
> http session and it optionnally redirects to the optional redirect URL
> Improvements :
> We want to add the remember me feature in that protocol.
> The remember feature authorize a user to not perform a login
> a second time when it has succesfully authenticated one time in
> the past. This feature uses the cookies to store a ticket that proves
> the the user identity. The integration of that feature must not bypass
> the authentication protocol. When a user arrives on the site with any
> URL, it must execute the login protocol transparently.
> The concept used are :
> The ticket :
> This object is an authorization ticket. It has the following attributes :
> - expiration date
> - a unique hash value
> - username
> - password
> The ticket store :
> Simply stores tickets. It is possible to create tickets and check
> ticket validity. It also manage old ticket garbaging.
> RememberMeServletFilter :
> This servlet filter is positionned on any URL that own the remember
> me property. It is responsible for managing the ticket stores
> cookies. When a user comes in with a ticket cookie, it uses
> the ticket store to check the cookie validity and if it is valid, it uses
> the username and password to initiate the login protocol with
> a redirection URL positionned to the actual incoming URL.
> StoreTicketFilter :
> This servlet filter is put in front of the AuthenticationServlet, it means
> that it will be always executed once
> the user has been fully authenticated by the servlet container.
> The role of this filter is to create a ticket in the store for the current
> user.
> This approach is non intrusive and does not need modification in the
> login protocol explained before. It is also simple to remove for
> people that don't want or need that feature on their portal infrastructure
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
JBoss-Development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-development
