[
https://issues.apache.org/jira/browse/SLING-1116?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12828659#action_12828659
]
Eric Norman commented on SLING-1116:
------------------------------------
It looks like the dust has settled so I am going to try to summarize the
suggestions below. Please correct me if I missed anything:
1. HttpServletRequest.getRemoteAddress() is not reliable, so it should not be
included in the hash
2. Include cookie expiration time in the cookie and hash
3. Include a securetoken in the hash. The CookieAuthenticationHandler must
maintain the mapping from securetokennumber to securetoken to be able to
recompute the hash on each request for comparison.
4. Since the expirytime is included in the cookie, each request that
sucessfully authenticates should update the cookie value to push the expiretime
further out (currentTime + sessionTimeoutDuration).
5. Use SimpleCredentials with custom attributes instead of a new Credentials
class to avoid having to patch the jackrabbit-server bundle
6. Use HMAC to hash the secure part of the cookie value.
Ian's cookie value pattern looks ok to me, so if nobody objects, the cookie
value calculation could look something like this
CookieValue = HmacSHA1(expirytime : securetoken :
userId)@securetokennumber,expiryt...@userid
I can take a shot at implementing the above suggestions later today if somebody
else doensn't beat me to it.
> FORM Based Authentication
> -------------------------
>
> Key: SLING-1116
> URL: https://issues.apache.org/jira/browse/SLING-1116
> Project: Sling
> Issue Type: New Feature
> Components: Extensions
> Reporter: Eric Norman
> Assignee: Felix Meschberger
> Attachments: org.apache.sling.cookieauth.zip,
> org.apache.sling.sessionauth.zip, SLING_1116_jackrabbit_server_patch.txt,
> updated_org.apache.sling.cookieauth.zip
>
>
> This is a new bundle that provides an implementation of forms based
> authentication for sling.
> The login/logout servlets from the org.apache.sling.commons.auth are used.
> The AuthenticationHandler will use http basic auth credentials if they are on
> the request, otherwise it will use the user/pwd posted from the login form.
> The login form html is generated by a set of scripts
> 1. login.html.esp - full login page (includes login_body.html.esp for the
> form markup)
> 2. login_body.html.esp - just the login form, which may be useful for
> drawing the login form for an ajax context
> 3. loginError.html.esp - full login-error page
> 4. loginError_body.html.esp - just the login-error form, for login error in
> ajax context
> The above scripts are included as bundle-resources @
> /libs/sling/servlet/default
> The bundle also has a couple of test scripts to show some examples of usage:
> 1. loginTest.html.esp - shows who is logged in and links to login or logout
> 2. loginTest2.html.esp - shows how a script can check permissions and show a
> login page if the anonymous user doesn't have permission to see the page,
> Some examples of usage are:
> 1. http://host:port/path/to/node.login.html - show the login page and then
> goto http://host:port/path/to/node after authenticated
> 2. http://host:port/path/to/node.login.html?s=.edit.html - show the login
> page and then goto http://host:port/path/to/node.edit.html after
> authenticated
> 3. http://host:port/system/sling/logout - invalidate the session and switch
> back to anonymous user
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
