[jira] Commented: (WICKET-2591) Allow subclasses of AuthenticatedWebSession to set signedIn field
[ https://issues.apache.org/jira/browse/WICKET-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12793982#action_12793982 ] Marat Radchenko commented on WICKET-2591: - Err... public?! I thought protected access would be enough (and if it isn't for someone, he can always add public method to his WebSession and call signIn from it). Allow subclasses of AuthenticatedWebSession to set signedIn field --- Key: WICKET-2591 URL: https://issues.apache.org/jira/browse/WICKET-2591 Project: Wicket Issue Type: Improvement Components: wicket-auth-roles Affects Versions: 1.4.3 Reporter: Marat Radchenko Assignee: Juergen Donnerstag Fix For: 1.4.6, 1.5-M1 My app implements remember me service by setting cookie in authenticate method of custom session that subclasses AuthenticatedWebSession. In order to automatically login user if cookie present, i need to set signedIn field to true when session is created, however it isn't possible since signedIn is private and no way to set it is available. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-2591) Allow subclasses of AuthenticatedWebSession to set signedIn field
[ https://issues.apache.org/jira/browse/WICKET-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12793668#action_12793668 ] Juergen Donnerstag commented on WICKET-2591: signin is internal and no application should be able to set it without authentication. Again, what is in your Cookie? How do you identify the user based on the Cookie? Allow subclasses of AuthenticatedWebSession to set signedIn field --- Key: WICKET-2591 URL: https://issues.apache.org/jira/browse/WICKET-2591 Project: Wicket Issue Type: Improvement Components: wicket-auth-roles Affects Versions: 1.4.3 Reporter: Marat Radchenko My app implements remember me service by setting cookie in authenticate method of custom session that subclasses AuthenticatedWebSession. In order to automatically login user if cookie present, i need to set signedIn field to true when session is created, however it isn't possible since signedIn is private and no way to set it is available. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-2591) Allow subclasses of AuthenticatedWebSession to set signedIn field
[ https://issues.apache.org/jira/browse/WICKET-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12793961#action_12793961 ] Marat Radchenko commented on WICKET-2591: - Cookie stores pair of user login + randomly generated number. Upon successfull authentication, I generate random number, store it in db (associated with user) and set it into cookie. Cookie maxAge is much bigger that http session age. After that, on subsequent session creations, I check for cookie, and if it is present (and matches data that i stored in db), i automatically mark session as logged in without asking login/password. Hey, even this jira has remember me feature. Allow subclasses of AuthenticatedWebSession to set signedIn field --- Key: WICKET-2591 URL: https://issues.apache.org/jira/browse/WICKET-2591 Project: Wicket Issue Type: Improvement Components: wicket-auth-roles Affects Versions: 1.4.3 Reporter: Marat Radchenko My app implements remember me service by setting cookie in authenticate method of custom session that subclasses AuthenticatedWebSession. In order to automatically login user if cookie present, i need to set signedIn field to true when session is created, however it isn't possible since signedIn is private and no way to set it is available. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-2591) Allow subclasses of AuthenticatedWebSession to set signedIn field
[ https://issues.apache.org/jira/browse/WICKET-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12791994#action_12791994 ] Marat Radchenko commented on WICKET-2591: - So you expect me to use some magic values for login/password string in order to identify that other one is actually _not_ a login/password, but cookie value? That's a hack. I don't see what's the problem with giving protected access to signedIn. After all, AuthenticatedWebSession subclass already can set it (by calling signIn on itself and returning proper value from authenticate). Allow subclasses of AuthenticatedWebSession to set signedIn field --- Key: WICKET-2591 URL: https://issues.apache.org/jira/browse/WICKET-2591 Project: Wicket Issue Type: Improvement Components: wicket-auth-roles Affects Versions: 1.4.3 Reporter: Marat Radchenko My app implements remember me service by setting cookie in authenticate method of custom session that subclasses AuthenticatedWebSession. In order to automatically login user if cookie present, i need to set signedIn field to true when session is created, however it isn't possible since signedIn is private and no way to set it is available. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-2591) Allow subclasses of AuthenticatedWebSession to set signedIn field
[ https://issues.apache.org/jira/browse/WICKET-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12790037#action_12790037 ] Marat Radchenko commented on WICKET-2591: - Yeah, but with remember me cookie, there isn't any login/password. There's just auth cookie token, so using authenticate(login, password) is inappropriate. Allow subclasses of AuthenticatedWebSession to set signedIn field --- Key: WICKET-2591 URL: https://issues.apache.org/jira/browse/WICKET-2591 Project: Wicket Issue Type: Improvement Components: wicket-auth-roles Affects Versions: 1.4.3 Reporter: Marat Radchenko My app implements remember me service by setting cookie in authenticate method of custom session that subclasses AuthenticatedWebSession. In order to automatically login user if cookie present, i need to set signedIn field to true when session is created, however it isn't possible since signedIn is private and no way to set it is available. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-2591) Allow subclasses of AuthenticatedWebSession to set signedIn field
[ https://issues.apache.org/jira/browse/WICKET-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12790085#action_12790085 ] Juergen Donnerstag commented on WICKET-2591: What is it what you put into your Cookie(s)? Something that allows you to identify the user. The only issue is the password. You might or not mangle it into the Cookie. Lets assume the password is not available, than you need to pass something as password that lets your authenticate() method recognize it's the cookie and not the password. That's not pretty but possible. I still don't want to make signin accessible. Any sugesstion on how the signature of a 2nd authenticate() should look like? Allow subclasses of AuthenticatedWebSession to set signedIn field --- Key: WICKET-2591 URL: https://issues.apache.org/jira/browse/WICKET-2591 Project: Wicket Issue Type: Improvement Components: wicket-auth-roles Affects Versions: 1.4.3 Reporter: Marat Radchenko My app implements remember me service by setting cookie in authenticate method of custom session that subclasses AuthenticatedWebSession. In order to automatically login user if cookie present, i need to set signedIn field to true when session is created, however it isn't possible since signedIn is private and no way to set it is available. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-2591) Allow subclasses of AuthenticatedWebSession to set signedIn field
[ https://issues.apache.org/jira/browse/WICKET-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12789725#action_12789725 ] Juergen Donnerstag commented on WICKET-2591: That is by purpose. Without authentication no user should be signed in. Subclass authenticate, use your cookie values to validate, and return true if successful. Allow subclasses of AuthenticatedWebSession to set signedIn field --- Key: WICKET-2591 URL: https://issues.apache.org/jira/browse/WICKET-2591 Project: Wicket Issue Type: Improvement Components: wicket-auth-roles Affects Versions: 1.4.3 Reporter: Marat Radchenko My app implements remember me service by setting cookie in authenticate method of custom session that subclasses AuthenticatedWebSession. In order to automatically login user if cookie present, i need to set signedIn field to true when session is created, however it isn't possible since signedIn is private and no way to set it is available. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
