The loginContext is indeed stored indirectly in the session. But neither wasp nor swarm requires you to: 1 pass in a username and password in a constructor, those are just convenient examples, although you are right and this will be the most likely use case. 2 use plaintext authentication data (e.g. password) 3 hold onto the username and password (or anything else you use for authentication) after the login method is called.
As stated in the apidoc the login method is only called once so you can and probably should clear anything used to authenticate your user. The current documentation and or example code does not make this very clear, thanks for pointing that out. Maurice On 6/8/07, craigdd <[EMAIL PROTECTED]> wrote: > > Are you saying then that the instance of LoginContext used to login is held > onto in the WASPSession, via the security framework? > > If so then this brings up a huge security issue, as least the way the API > sits and the examples showing that a LoginContext takes a username and > password in its constructor. This mean that a password(probably plain text) > is available in the session which is usually a big no no when it comes to a > secure application. I've been through a few security probes from banks on > various online applications that that is one of the first thing they look > for / ask. "Are you holding onto the password?" > > -Craig > > > Mr Mean wrote: > > > > There is currently no way to grab the login context, so you could > > store it yourself (there migh be multiple logintexts though). But the > > good news is you don't have to store it if you don't want to. The > > logoff performs an equals check and currently every logincontext of > > the same class and level is equal to another. So if you login using a > > MySingleLoginContext(username, password) you can logoff with any new > > instance of that class (logoff(new MySingleLoginContext());) > > > > However if you feel you need to have access to the original instance, > > for instance because you want to know the username, i can always > > include such a method in the api. > > > > Maurice > > > > On 6/8/07, craigdd <[EMAIL PROTECTED]> wrote: > >> > >> I see that the WASPSession.logout method takes a LoginContext. Is there > >> somewhere within the SWARM implementation to grab the LoginContext used > >> to > >> login? Or when logging in is it up to the developer to put the > >> LoginContext > >> somewhere...say maybe the session itself? > >> > >> Thanks > >> Craig > >> -- > >> View this message in context: > >> http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11018551 > >> Sent from the Wicket - User mailing list archive at Nabble.com. > >> > >> > >> ------------------------------------------------------------------------- > >> This SF.net email is sponsored by DB2 Express > >> Download DB2 Express C - the FREE version of DB2 express and take > >> control of your XML. No limits. Just data. Click to get it now. > >> http://sourceforge.net/powerbar/db2/ > >> _______________________________________________ > >> Wicket-user mailing list > >> Wicket-user@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/wicket-user > >> > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Wicket-user mailing list > > Wicket-user@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/wicket-user > > > > > > -- > View this message in context: > http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11033924 > Sent from the Wicket - User mailing list archive at Nabble.com. > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Wicket-user mailing list > Wicket-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wicket-user > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
