On 28 Jan 2010, at 10:18, Alexander Klimetschek wrote:
> On Thu, Jan 28, 2010 at 11:02, Vidar Ramdal <[email protected]> wrote:
>> Two questions immediately comes to mind when considering user sessions:
>> 1. Is it really RESTful?
>
> Unfortunately experience has shown that you don't get proper, flexible
> and modern authentication mechanisms to work together with a "full
> restful" authentication. The latter is only achieved by HTTP basic
> auth in practice, but this has a few drawbacks:
> - needs encrypted transport, eg. SSL, as credentials are sent with every
> request
> - umlauts not properly supported across all browsers (big no go if
> people have secure passwords with umlauts and other special
> characters)
>
> Kerberos, OpenID, etc., which are secure and/or flexible,
> state-of-the-art on the web, require a session to be kept with the
> request.
>
> Note that the session should be as small as possible, eg. basically
> only some ID, to reduce the problems associated with them.
>
>> 2. How do we handle sessions in clustered environment?
>
> Sticky sessions is probably the best answer, which is handled by the
> proxy/dispatcher. A cluster might not be fast enough (replication done
> in XX ms, since requests for css or image resources are typically sent
> very quickly after the original page) and HTTP session clustering in
> app servers does not scale.
I have been using a a cluster cookie service. The login cookie is a SHA1 of a
secret, some info about the user and on the end is a cluster ID of the
originating server.
When the cookie enters a app server node, it looks at the cookie, extracts the
cluster ID, and calls home to validate the cookie. Once validated its cached on
that server. At the moment the "call home" is using an ehcache replicated
cache, but the intention is to move that to an using and existing http service
for app server to app server cookie validation.
BTW,
I also recently added a TrustedCredentials super class and AnonCredentials and
AdministrativeCredentials to Sling to allow Sling to perform logins without the
password. The latter 2 are final and not exposed outside the server bundle, but
the former could be used for this purpose in some way and all the LoginModule
infrastructure is already there (you have to provide CallbackHandlers to
decouple Jackrabbits binding to SimpleCredentials in the core JR code).
Ian
>
> Regards,
> Alex
>
> --
> Alexander Klimetschek
> [email protected]
