Re: [basedb-devel] Prompting for credentials
Nicklas Nordborg wrote: >> From previous messages, it seems that the session id is tied to the >> client that creates the session (via IP). So it would be linked to the >> server running the web service in our case. This is problematic, because >> the final link to the BASE experiment will be used by a remote user, >> which will be served by a session ID having the wrong IP. > > No this is not the case. If your application is creating the > SessionControl it can give it any session id that you want or let BASE > generate an ID, and it can choose which IP to link it with. See the API > javadoc at this long URL: > http://base.thep.lu.se/chrome/site/latest/api/net/sf/basedb/core/Application.html#newSessionControl(java.lang.String,%20java.lang.String,%20java.lang.String) > WOW! That sounds like what we were looking for, thank you very much! Marco. -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
On 2009-12-17 15:27, Zak Mc Kracken wrote: > Thank you Nicklas, that's clearer now. > > Just more few notes. > > Nicklas Nordborg wrote: >> >> 1. Your web service application does this on its own and keeps track of >> used/active ones so that duplicates are not generated. When the user >> clicks a link he/she is asked to login to BASE. >> > > This seems to be the simpler option. A bit less practical, but could be > an alternative. > >> 2. Your web service application uses BASE to create a new SessionControl >> and login using the "guest" account. Use the id from the session control >> in the link and the user doesn't have to login when it is clicked. Note >> that your web service application needs to set the proper remote id on >> the session control, otherwise the "Invalid remote id" message will popup. >> > > From previous messages, it seems that the session id is tied to the > client that creates the session (via IP). So it would be linked to the > server running the web service in our case. This is problematic, because > the final link to the BASE experiment will be used by a remote user, > which will be served by a session ID having the wrong IP. No this is not the case. If your application is creating the SessionControl it can give it any session id that you want or let BASE generate an ID, and it can choose which IP to link it with. See the API javadoc at this long URL: http://base.thep.lu.se/chrome/site/latest/api/net/sf/basedb/core/Application.html#newSessionControl(java.lang.String,%20java.lang.String,%20java.lang.String) > Is there a way to sort this out? Any plan to change the BASE code on > this point? For instance, if one could pass login/password/IP to the > authentication web service, or even disable this session/IP feature. No, this is not going to change. It is very important to not mess with this since it will make lots of things to not work anymore. /Nicklas -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
> From previous messages, it seems that the session id is > tied to the client that creates the session (via IP). So > it would be linked to the server running the web service > in our case. This is problematic, because the link to the > BASE experiment will be used by a remote user, which will > be served by a session ID having the wrong IP. True, I had not thought of that. That would indeed make it problematic to log in users from within DC-THERA. > Any plan to change the BASE code on this point? Modifying the authentication logic ourselves is an option. Nicklas, could you give us a short description of the classes involved? Just in case. Regards, -- O.L. -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Thank you Nicklas, that's clearer now. Just more few notes. Nicklas Nordborg wrote: > > 1. Your web service application does this on its own and keeps track of > used/active ones so that duplicates are not generated. When the user > clicks a link he/she is asked to login to BASE. > This seems to be the simpler option. A bit less practical, but could be an alternative. > 2. Your web service application uses BASE to create a new SessionControl > and login using the "guest" account. Use the id from the session control > in the link and the user doesn't have to login when it is clicked. Note > that your web service application needs to set the proper remote id on > the session control, otherwise the "Invalid remote id" message will popup. > From previous messages, it seems that the session id is tied to the client that creates the session (via IP). So it would be linked to the server running the web service in our case. This is problematic, because the final link to the BASE experiment will be used by a remote user, which will be served by a session ID having the wrong IP. Is there a way to sort this out? Any plan to change the BASE code on this point? For instance, if one could pass login/password/IP to the authentication web service, or even disable this session/IP feature. Thanks again. Marco. -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Zak Mc Kracken wrote: > Hi Nicklas, > > in reply to your message below. I am working with Olivier on the issue. > To me it seems we're stuck on it, I still cannot understand if/how it's > possible to do this: > > - A search web service we have written is invoked with certain parameters > - The ws searches inside BASE and returns a list of URLs. Every URL is > about an experiment that matches the search parameters/criteria > (actually experiment titles are returned too). Every URL is supposed to > automatically open an experiment page in the BASE web interface. We also > would like that the URL makes BASE to automatically login a "guest" user > (experiments we decide to make publicly visible will be made accessible > to this user), with just the initial click of the real end user on the URL. > > From previous messages in this mailing list, I understand that BASE > doesn't allow to keep open multiple user sessions from multiple IPs, so > this could be a problem re. what I've described. Or did I get it wrong? BASE is a multi-user enironment and it is possible to have multiple users logged on at the same time. The users may be on different ip addresses or on the same address. In fact, a single person may have multiple browser windows open, each logged in to a different BASE account or even to the same account. What matters is that each browser window has it's own unique session id. The session id is more or less a replacement for session cookies that a lot of other web sites uses. The first prototype of BASE 2 actually used a session cookie, but we made a policy decision to not use cookies and that is why the session id is sent as part of the URL. The added benefit of this is that a single user may have multiple browser windows open each with their own session id. But just as session cookies can't be shared between users neither can the session id be shared. > An alternative for us could be that the end user has its own BASE > account, he/she provide us with it and we pass it to the web service (or > report it in the experiment's URL). > > You may already have guessed that the web service will be invoked by > another web application: > > http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-435/poster06.pdf > > and that the returned URLs will be put in this application. > > Is there a way to do what I described above? It's strange we cannot find > an answer to that. No it is not strange because BASE was never intended to be used in that way. If you want to do something like what you describe you need to manage the session id's in your web service application. For each new user that performs a search a new session id is needed. As I see it there are two possible ways to create new session ids: 1. Your web service application does this on its own and keeps track of used/active ones so that duplicates are not generated. When the user clicks a link he/she is asked to login to BASE. 2. Your web service application uses BASE to create a new SessionControl and login using the "guest" account. Use the id from the session control in the link and the user doesn't have to login when it is clicked. Note that your web service application needs to set the proper remote id on the session control, otherwise the "Invalid remote id" message will popup. Hope this helps. /Nicklas -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Hi Nicklas, in reply to your message below. I am working with Olivier on the issue. To me it seems we're stuck on it, I still cannot understand if/how it's possible to do this: - A search web service we have written is invoked with certain parameters - The ws searches inside BASE and returns a list of URLs. Every URL is about an experiment that matches the search parameters/criteria (actually experiment titles are returned too). Every URL is supposed to automatically open an experiment page in the BASE web interface. We also would like that the URL makes BASE to automatically login a "guest" user (experiments we decide to make publicly visible will be made accessible to this user), with just the initial click of the real end user on the URL. From previous messages in this mailing list, I understand that BASE doesn't allow to keep open multiple user sessions from multiple IPs, so this could be a problem re. what I've described. Or did I get it wrong? An alternative for us could be that the end user has its own BASE account, he/she provide us with it and we pass it to the web service (or report it in the experiment's URL). You may already have guessed that the web service will be invoked by another web application: http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-435/poster06.pdf and that the returned URLs will be put in this application. Is there a way to do what I described above? It's strange we cannot find an answer to that. Many thanks in advance for any help. Marco. From: Nicklas Nordborg - 2009-12-15 21:45 Olivier Lefevre wrote: > Out of curiosity, this error message implies that session IDs, > once allocated, are tied to the remote ID the initial request > came from. Is it a security feature? Yes, but a very simple one. The idea is to protect the server from someone guessing an ID that is in use. /Nicklas -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Olivier Lefevre wrote: > Hi Marco, > > Not to step on Nicklas' toes but a couple of observations from > my point of view: > >> From previous messages in this mailing list, I understand >> that BASE doesn't allow one to keep open multiple user >> sessions, coming from multiple IPs > > AFAIK BASE just doesn't allow the *same* session ID to be used by > multiple IPs; your wording suggests it can and will serve only > one user per IP, which would clearly make it useless. > Ops, sorry. Clearly I meant multiple sessions from the same user and from multiple IPs. The scenario I am thinking of is multiple real users accessing BASE with the same account. But if different sessions can be generated for different IPs and using the same account, that would be good for us. Cheers. Marco. -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Hi Marco, Not to step on Nicklas' toes but a couple of observations from my point of view: > From previous messages in this mailing list, I understand > that BASE doesn't allow one to keep open multiple user > sessions, coming from multiple IPs AFAIK BASE just doesn't allow the *same* session ID to be used by multiple IPs; your wording suggests it can and will serve only one user per IP, which would clearly make it useless. As to whether this is a problem or not in practice, remember that you and I were hitting a BASE instance directly, from separate IPs, when we ran into this issue, using a bogus ID to boot, hence the collision. In the actual usage scenario, in which users send requests to BASE not directly but through DC-THERA, I imagine that from the BASE server point of view they will appear to originate from the same DC-THERA server IP, regardless of user IP, hence the issue will be moot. -- O.L. -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Hi Nicklas, in reply to your message below, I am working with Olivier on the issue. I still haven't clear if/how it's possible to do this: - A search web service we have written is invoked with certain parameters - The ws searches inside BASE and returns a list of URLs. Every URL is about an experiment that matches the search parameters/criteria (actually experiment titles are returned too). Every URL is supposed to automatically open an experiment page in the BASE web interface. We also would like that the URL makes BASE to automatically login a "guest" user (experiments we decide to make publicly visible will be made accessible to this user), of course when the URL is clicked. You may already have guessed that the web service will be invoked by another web application: http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-435/poster06.pdf and that the returned URLs will be put in this application. From previous messages in this mailing list, I understand that BASE doesn't allow one to keep open multiple user sessions, coming from multiple IPs, so this could be a problem re. what I've described. Or did I get it wrong? An alternative for us could be that the end user has its own BASE account, he/she provide us with it and we pass it to the web service (or report it in the experiment's URL). Is there a way to do what I described above? It's strange we cannot find an answer to that. Many thanks in advance for any help. Marco. From: Nicklas Nordborg - 2009-12-15 21:45 Olivier Lefevre wrote: > Out of curiosity, this error message implies that session IDs, > once allocated, are tied to the remote ID the initial request > came from. Is it a security feature? Yes, but a very simple one. The idea is to protect the server from someone guessing an ID that is in use. /Nicklas -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Olivier Lefevre wrote: > Out of curiosity, this error message implies that session IDs, > once allocated, are tied to the remote ID the initial request > came from. Is it a security feature? Yes, but a very simple one. The idea is to protect the server from someone guessing an ID that is in use. /Nicklas -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Out of curiosity, this error message implies that session IDs, once allocated, are tied to the remote ID the initial request came from. Is it a security feature? -- O.L. -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
> The stack trace is because trying to use the same session ID > that is already used by a different user session. Thanks, that's clear now: this could indeed happen when a bogus and constant session ID is used for all requests. -- O.L. -- Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Olivier Lefevre wrote: > Hi Nicklas, > >> If you supply a URL like the one above BASE is going to ask >> you for a login and password. > > I assume you mean a screen like the attached. If so that is > indeed what I get in my own local development instance but the > production instance (not managed by me) occasionally returns > a page with a PermissionDeniedException stack trace instead > (screenshot also attached) and at other times the expected > login screen, which is a bit confusing. I have never seen the > stack trace behavious locally. The login screen is the prompt I am talking about. The stack trace is because trying to use the same session ID that is already used by a different user session. /Nicklas -- Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel
Re: [basedb-devel] Prompting for credentials
Olivier Lefevre wrote: > Is there a way to make BASE2 automatically prompt for > credentials when a user who is not yet logged in clicks > on a link pointing to a restricted-access resource? For > instance the generic URL for an Experiment is > http://localhost:8080/base2/views/experiments/index.jsp?ID=uid&cmd=ViewItem&item_id=29 > where uid is some hash. It seems one can use ID=0 as a > "magic" value once the user is logged in but it fails > the first time. > > What is the best way to handle this problem in the > context of BASE2? I am not exactly sure what you are looking for... If you supply a URL like the one above BASE is going to ask you for a login and password. The value for ID (eg. 'uid' in the example) can be anything. There is nothing magic with ID=0, but the ID has to be a unique string per user session, so you can't just put a static link to the page within BASE. /Nicklas -- Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev ___ basedb-devel mailing list basedb-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/basedb-devel