[EMAIL PROTECTED] wrote:
> ------- Additional Comments From [EMAIL PROTECTED] 2002-01-04 09:03 -------
> Here is what I plan to do:
>
> Add the following to JR.p
> automatic.logon.enable true/false
Default = false
> automatic.logon.expires [life of auto login]
Default = 1 month
> automatic.logon.domain [of the cookie - needed? or use getServer()]
If not present or equal "", then use getServer().
Default value = ""
>
> There will be 2 cookies on the user machine, one with the user id in plain text
> and one with a random id, generated each time they logon. This means that the
> cookie can be copied and used from machine to machine - but cannot be generated
> by just knowing the user id.
>
> Amend the login templates to have a "remember me" check box ala yahoo.
> Amend JLoginUser, if enable/user selects remember me, stores cookies.
> Amend EditAccount to have the "remember me" checkbox - so that a user can turn
> it off from that page
> Amend Logout to remove the cookie.
> Amend SessionValidator to use the cookie to log the user in - if the user
> id/random number on the user PC match the entries in the persistent store.
Are you extending the Turbine user class to store the random number? I think
this is a good place since it will survive a restart and all of the user
information is currently in this class.
>
> Comments?
>
> Looking at the tomcat single sign on facility, it seems to be a tomcat specific
> feature - meaning that we would be tying jetspeed to tomcat - which I don't
> want to do. It also would probably mean a significant change to map the
> TurbineUser onto the servlet realm/principal entries - perhaps something that
> would be easier with Turbine3. The only advantage is that it allows for a
> single logon to be valid for several webapps on a server - but since Jetspeed
> manages multiple portlets (mini-apps), I don't think it is much of an advantage.
>
Paul Spencer
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
