- remember me feature - Login process in the portal.
Introduction In order to have the portal play nice with J2EE security it is not possible to use directly the JBossSX API or the JAAS API. The reasons are various : - specific to JBoss - does not respect the portlet specification - only form login can be used, no client certificate authentication would work - does not take advantage of JBoss SSO or tomcat SSO Therefore the login must be processed by the servlet container. Architecture and login protocol Login in JBoss portal follows a well defined protocol which uses the following elements : - org.jboss.portal.core.security.Status object : defines the status of a user. It is stored in the http session and has the following attributes : username, password and a boolean signedIn. When the user is not logged in the http session does not contains this object. When a user performs a login it contains its username and password and the boolean signedIn is false. The signedIn value becomes true only if the user authenticates succesfully. - LoginServet : this servlet initiates the login protocol. It takes a mandatory user name and password as arguments and an optional redirect url argument. - AuthenticationServlet : this servlet is a protected resource of the portal web application. It means that it can be reached only by fully authenticated users. The role of this servlet is to terminate the login protocol. - FormLoginServlet : this servlet intercepts is used by the servlet container which calls it whenever the user tries to reach the AuthenticationServlet and is not authenticated. The protocol is described now : 1. a request is made with the URL /login?username=foo&password=bar 2. the LoginServlet process the request : 2.a it creates a status object which username, passwords, signedIn value false and put it in the http session 2.b it redirects to the authentication servlet with the URL : /authentication?username=foo&password=bar 3. the user browser receive the redirection and process it 4. the servlet container receives the request and see that the user is not authenticate so it redirect internally the call to the FormLoginServlet 5. the FormLoginServlet process the request, it simply redirects to the URL /j_security_check?j_username=foo&j_password=bar which has a special meaning for the servlet container in the authentication process. 6. the servlet container process the j_security_check URL : 6.a it delegates the authentication to JBossSX which delegates in turns to JAAS LoginModule stack 6.b we suppose that the authentication is succesfull, the servlet container delegates the request to the AuthenticationServlet 6.c the AuthenticationServlet process the request, it sets the boolean signedIn to true on the Status object which is stored in the http session and it optionnally redirects to the optional redirect URL Improvements : We want to add the remember me feature in that protocol. The remember feature authorize a user to not perform a login a second time when it has succesfully authenticated one time in the past. This feature uses the cookies to store a ticket that proves the the user identity. The integration of that feature must not bypass the authentication protocol. When a user arrives on the site with any URL, it must execute the login protocol transparently. The concept used are : The ticket : This object is an authorization ticket. It has the following attributes : - expiration date - a unique hash value - username - password The ticket store : Simply stores tickets. It is possible to create tickets and check ticket validity. It also manage old ticket garbaging. RememberMeServletFilter : This servlet filter is positionned on any URL that own the remember me property. It is responsible for managing the ticket stores cookies. When a user comes in with a ticket cookie, it uses the ticket store to check the cookie validity and if it is valid, it uses the username and password to initiate the login protocol with a redirection URL positionned to the actual incoming URL. StoreTicketFilter : This servlet filter is put in front of the AuthenticationServlet, it means that it will be always executed once the user has been fully authenticated by the servlet container. The role of this filter is to create a ticket in the store for the current user. This approach is non intrusive and does not need modification in the login protocol explained before. It is also simple to remove for people that don't want or need that feature on their portal infrastructure. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3862921#3862921 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3862921 ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ JBoss-Development mailing list JBoss-Development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-development
