[ http://jira.jboss.com/jira/browse/JBPORTAL-184?page=comments#action_12314819 ] Julien Viet commented on JBPORTAL-184: --------------------------------------
unfortunately it is not possible to set the password as a post parameter (at least for now) because it uses a redirection of the client. It is in order to interract with the servlet container. People that want security should more security should use SSL during the login phase. Perhaps I have a solution that could avoid that. I need to think about it. > Remember me feature > ------------------- > > Key: JBPORTAL-184 > URL: http://jira.jboss.com/jira/browse/JBPORTAL-184 > Project: JBoss Portal > Type: Feature Request > Components: Portal Core > Versions: 2.0 Beta > Reporter: Julien Viet > > Original Estimate: 1 day > Remaining: 1 day > > - remember me feature - > Login process in the portal. > Introduction > In order to have the portal play nice with J2EE security it is not possible > to use directly the JBossSX API or the JAAS API. The reasons are various : > - specific to JBoss > - does not respect the portlet specification > - only form login can be used, no client certificate authentication > would work > - does not take advantage of JBoss SSO or tomcat SSO > Therefore the login must be processed by the servlet container. > Architecture and login protocol > Login in JBoss portal follows a well defined protocol which uses > the following elements : > - org.jboss.portal.core.security.Status object : defines the status of > a user. It is stored in the http session and has the following > attributes : username, password and a boolean signedIn. When the > user is not logged in the http session does not contains this object. > When a user performs a login it contains its username and password > and the boolean signedIn is false. The signedIn value > becomes true only if the user authenticates succesfully. > - LoginServet : this servlet initiates the login protocol. It takes > a mandatory user name and password as arguments and > an optional redirect url argument. > - AuthenticationServlet : this servlet is a protected resource of the > portal web application. It means that it can be reached only by > fully authenticated users. The role of this servlet is to > terminate the login protocol. > - FormLoginServlet : this servlet intercepts is used by the servlet > container which calls it whenever the user tries to reach > the AuthenticationServlet and is not authenticated. > The protocol is described now : > 1. a request is made with the URL /login?username=foo&password=bar > 2. the LoginServlet process the request : > 2.a it creates a status object which username, passwords, signedIn > value false and put it in the http session > 2.b it redirects to the authentication servlet with the URL : > /authentication?username=foo&password=bar > 3. the user browser receive the redirection and process it > 4. the servlet container receives the request and see that the user is > not authenticate so it redirect internally the call to the FormLoginServlet > 5. the FormLoginServlet process the request, it simply redirects to > the URL /j_security_check?j_username=foo&j_password=bar which > has a special meaning for the servlet container in the > authentication process. > 6. the servlet container process the j_security_check URL : > 6.a it delegates the authentication to JBossSX which delegates in turns > to JAAS LoginModule stack > 6.b we suppose that the authentication is succesfull, the servlet > container delegates the request to the AuthenticationServlet > 6.c the AuthenticationServlet process the request, it sets the > boolean signedIn to true on the Status object which is stored in the > http session and it optionnally redirects to the optional redirect URL > Improvements : > We want to add the remember me feature in that protocol. > The remember feature authorize a user to not perform a login > a second time when it has succesfully authenticated one time in > the past. This feature uses the cookies to store a ticket that proves > the the user identity. The integration of that feature must not bypass > the authentication protocol. When a user arrives on the site with any > URL, it must execute the login protocol transparently. > The concept used are : > The ticket : > This object is an authorization ticket. It has the following attributes : > - expiration date > - a unique hash value > - username > - password > The ticket store : > Simply stores tickets. It is possible to create tickets and check > ticket validity. It also manage old ticket garbaging. > RememberMeServletFilter : > This servlet filter is positionned on any URL that own the remember > me property. It is responsible for managing the ticket stores > cookies. When a user comes in with a ticket cookie, it uses > the ticket store to check the cookie validity and if it is valid, it uses > the username and password to initiate the login protocol with > a redirection URL positionned to the actual incoming URL. > StoreTicketFilter : > This servlet filter is put in front of the AuthenticationServlet, it means > that it will be always executed once > the user has been fully authenticated by the servlet container. > The role of this filter is to create a ticket in the store for the current > user. > This approach is non intrusive and does not need modification in the > login protocol explained before. It is also simple to remove for > people that don't want or need that feature on their portal infrastructure -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - If you want more information on JIRA, or have a bug to report see: http://www.atlassian.com/software/jira ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ JBoss-Development mailing list JBoss-Development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-development