Re: [Wicket-user] WASPSession.logout(object)
It isn't fixed on username an password because i want people to be able to use any kind of authentication. e.g. a card reader or retinal scan. A credentials object could be used in this case, but then i am introducing yet another class people need to use / extend. But i already have an idea how to refactor this. Maurice On 6/9/07, craigdd [EMAIL PROTECTED] wrote: Just out of curiosity why doesn't the login method take a username/password? Or if you want it to be more abstracted create some sort of Credentials object and update the WASPSession.login to take a LoginContext and Credentials object. Then update the LoginContext login to take the Credential. -Craig Mr Mean wrote: I just remembered a little snag, this is not going to work because i currently use the context to ask if the component, class, model is authenticated by this context. So i really need it atm. Looks like i need to think this trough a little better. but first i gotta grab some sleep. Maurice On 6/9/07, craigdd [EMAIL PROTECTED] wrote: Sounds like a pretty good idea, I like that much better than having the user need to know they need to cleanup data state in their LoginContext. Another idea might be to have the LoginContext provide a method that returns a unique identifier. That value could be store internally and the user can pass anything they want, I'd assume the default would be to return the username which is completely fair to be in the session. Without looking too closely at the code you could also use this identifier during logout. -Craig Mr Mean wrote: Just thinking out loud here, but it shouldn't be too difficult to change this into holding a hash of the logincontext instead of the whole context. Since the equals contract already specifies that equal object should have equal hashes The equals check can be easily performed on the hash, HashMap actually uses the hash before it uses the equal, so i do not see much problems here. And it is not like you are gonna have an army of logincontexts in each session. Ill see if i can implement this sometime tomorrow. Thanks again for pointing this out, if you think there are more of this kind of problems just let me know. Maurice P.S. i guess an api for getting the original logincontext is out of the question then :) On 6/8/07, craigdd [EMAIL PROTECTED] wrote: Are you saying then that the instance of LoginContext used to login is held onto in the WASPSession, via the security framework? If so then this brings up a huge security issue, as least the way the API sits and the examples showing that a LoginContext takes a username and password in its constructor. This mean that a password(probably plain text) is available in the session which is usually a big no no when it comes to a secure application. I've been through a few security probes from banks on various online applications that that is one of the first thing they look for / ask. Are you holding onto the password? -Craig Mr Mean wrote: There is currently no way to grab the login context, so you could store it yourself (there migh be multiple logintexts though). But the good news is you don't have to store it if you don't want to. The logoff performs an equals check and currently every logincontext of the same class and level is equal to another. So if you login using a MySingleLoginContext(username, password) you can logoff with any new instance of that class (logoff(new MySingleLoginContext());) However if you feel you need to have access to the original instance, for instance because you want to know the username, i can always include such a method in the api. Maurice On 6/8/07, craigdd [EMAIL PROTECTED] wrote: I see that the WASPSession.logout method takes a LoginContext. Is there somewhere within the SWARM implementation to grab the LoginContext used to login? Or when logging in is it up to the developer to put the LoginContext somewhere...say maybe the session itself? Thanks Craig -- View this message in context: http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11018551 Sent from the Wicket - User mailing list archive at Nabble.com. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] WASPSession.logout(object)
On 6/9/07, Maurice Marrink [EMAIL PROTECTED] wrote: retinal scan. :) -igor - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] WASPSession.logout(object)
:D Well i had to come up with something outrageous didn't i? ;) Maurice On 6/9/07, Igor Vaynberg [EMAIL PROTECTED] wrote: On 6/9/07, Maurice Marrink [EMAIL PROTECTED] wrote: retinal scan. :) -igor - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] WASPSession.logout(object)
Ok, i just committed some refactoring in the authentication module of swarm. To make sure we do not store user credentials in the session. For those of you already depending on swarm, here are the changes. -All is...Authenticated methods from LoginContext are now in Subject, just copy paste the relevant code. -SingleLoginContext has been folded into LoginContext, simply replace any occurrence of the word SingleLoginContext with LoginContext as the constructors remained the same. -LoginContext equal and hashcode are final -LoginContext is now a throw away object and therefor is no longer serializable -LoginContext no longer implements Comparable interface -Subjects are now considered readonly, and therefor the interface does no longer define an addPrincipal method. instead implementations will provide add/remove methods that honor the readonly flag which is set by swarm as soon as the subject has been passed on. I haven't had time to update the getting started yet, so be patient there. Oh and before anyone else says something about it, I'll do it myself :) I know Subject now has a dependency on the wicket gui, making it a less ideal candidate for storing it in a database as before. But my reasoning is this Subject is part of swarm and therefor of wicket, so the dependency is allowed. Instead use your own entity for database storage and wrap them in a Subject that will be thrown away when they logoff. Maurice On 6/9/07, Maurice Marrink [EMAIL PROTECTED] wrote: :D Well i had to come up with something outrageous didn't i? ;) Maurice On 6/9/07, Igor Vaynberg [EMAIL PROTECTED] wrote: On 6/9/07, Maurice Marrink [EMAIL PROTECTED] wrote: retinal scan. :) -igor - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] WASPSession.logout(object)
There is currently no way to grab the login context, so you could store it yourself (there migh be multiple logintexts though). But the good news is you don't have to store it if you don't want to. The logoff performs an equals check and currently every logincontext of the same class and level is equal to another. So if you login using a MySingleLoginContext(username, password) you can logoff with any new instance of that class (logoff(new MySingleLoginContext());) However if you feel you need to have access to the original instance, for instance because you want to know the username, i can always include such a method in the api. Maurice On 6/8/07, craigdd [EMAIL PROTECTED] wrote: I see that the WASPSession.logout method takes a LoginContext. Is there somewhere within the SWARM implementation to grab the LoginContext used to login? Or when logging in is it up to the developer to put the LoginContext somewhere...say maybe the session itself? Thanks Craig -- View this message in context: http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11018551 Sent from the Wicket - User mailing list archive at Nabble.com. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] WASPSession.logout(object)
Are you saying then that the instance of LoginContext used to login is held onto in the WASPSession, via the security framework? If so then this brings up a huge security issue, as least the way the API sits and the examples showing that a LoginContext takes a username and password in its constructor. This mean that a password(probably plain text) is available in the session which is usually a big no no when it comes to a secure application. I've been through a few security probes from banks on various online applications that that is one of the first thing they look for / ask. Are you holding onto the password? -Craig Mr Mean wrote: There is currently no way to grab the login context, so you could store it yourself (there migh be multiple logintexts though). But the good news is you don't have to store it if you don't want to. The logoff performs an equals check and currently every logincontext of the same class and level is equal to another. So if you login using a MySingleLoginContext(username, password) you can logoff with any new instance of that class (logoff(new MySingleLoginContext());) However if you feel you need to have access to the original instance, for instance because you want to know the username, i can always include such a method in the api. Maurice On 6/8/07, craigdd [EMAIL PROTECTED] wrote: I see that the WASPSession.logout method takes a LoginContext. Is there somewhere within the SWARM implementation to grab the LoginContext used to login? Or when logging in is it up to the developer to put the LoginContext somewhere...say maybe the session itself? Thanks Craig -- View this message in context: http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11018551 Sent from the Wicket - User mailing list archive at Nabble.com. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user -- View this message in context: http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11033924 Sent from the Wicket - User mailing list archive at Nabble.com. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] WASPSession.logout(object)
The loginContext is indeed stored indirectly in the session. But neither wasp nor swarm requires you to: 1 pass in a username and password in a constructor, those are just convenient examples, although you are right and this will be the most likely use case. 2 use plaintext authentication data (e.g. password) 3 hold onto the username and password (or anything else you use for authentication) after the login method is called. As stated in the apidoc the login method is only called once so you can and probably should clear anything used to authenticate your user. The current documentation and or example code does not make this very clear, thanks for pointing that out. Maurice On 6/8/07, craigdd [EMAIL PROTECTED] wrote: Are you saying then that the instance of LoginContext used to login is held onto in the WASPSession, via the security framework? If so then this brings up a huge security issue, as least the way the API sits and the examples showing that a LoginContext takes a username and password in its constructor. This mean that a password(probably plain text) is available in the session which is usually a big no no when it comes to a secure application. I've been through a few security probes from banks on various online applications that that is one of the first thing they look for / ask. Are you holding onto the password? -Craig Mr Mean wrote: There is currently no way to grab the login context, so you could store it yourself (there migh be multiple logintexts though). But the good news is you don't have to store it if you don't want to. The logoff performs an equals check and currently every logincontext of the same class and level is equal to another. So if you login using a MySingleLoginContext(username, password) you can logoff with any new instance of that class (logoff(new MySingleLoginContext());) However if you feel you need to have access to the original instance, for instance because you want to know the username, i can always include such a method in the api. Maurice On 6/8/07, craigdd [EMAIL PROTECTED] wrote: I see that the WASPSession.logout method takes a LoginContext. Is there somewhere within the SWARM implementation to grab the LoginContext used to login? Or when logging in is it up to the developer to put the LoginContext somewhere...say maybe the session itself? Thanks Craig -- View this message in context: http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11018551 Sent from the Wicket - User mailing list archive at Nabble.com. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user -- View this message in context: http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11033924 Sent from the Wicket - User mailing list archive at Nabble.com. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] WASPSession.logout(object)
Just thinking out loud here, but it shouldn't be too difficult to change this into holding a hash of the logincontext instead of the whole context. Since the equals contract already specifies that equal object should have equal hashes The equals check can be easily performed on the hash, HashMap actually uses the hash before it uses the equal, so i do not see much problems here. And it is not like you are gonna have an army of logincontexts in each session. Ill see if i can implement this sometime tomorrow. Thanks again for pointing this out, if you think there are more of this kind of problems just let me know. Maurice P.S. i guess an api for getting the original logincontext is out of the question then :) On 6/8/07, craigdd [EMAIL PROTECTED] wrote: Are you saying then that the instance of LoginContext used to login is held onto in the WASPSession, via the security framework? If so then this brings up a huge security issue, as least the way the API sits and the examples showing that a LoginContext takes a username and password in its constructor. This mean that a password(probably plain text) is available in the session which is usually a big no no when it comes to a secure application. I've been through a few security probes from banks on various online applications that that is one of the first thing they look for / ask. Are you holding onto the password? -Craig Mr Mean wrote: There is currently no way to grab the login context, so you could store it yourself (there migh be multiple logintexts though). But the good news is you don't have to store it if you don't want to. The logoff performs an equals check and currently every logincontext of the same class and level is equal to another. So if you login using a MySingleLoginContext(username, password) you can logoff with any new instance of that class (logoff(new MySingleLoginContext());) However if you feel you need to have access to the original instance, for instance because you want to know the username, i can always include such a method in the api. Maurice On 6/8/07, craigdd [EMAIL PROTECTED] wrote: I see that the WASPSession.logout method takes a LoginContext. Is there somewhere within the SWARM implementation to grab the LoginContext used to login? Or when logging in is it up to the developer to put the LoginContext somewhere...say maybe the session itself? Thanks Craig -- View this message in context: http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11018551 Sent from the Wicket - User mailing list archive at Nabble.com. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user -- View this message in context: http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11033924 Sent from the Wicket - User mailing list archive at Nabble.com. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] WASPSession.logout(object)
Just out of curiosity why doesn't the login method take a username/password? Or if you want it to be more abstracted create some sort of Credentials object and update the WASPSession.login to take a LoginContext and Credentials object. Then update the LoginContext login to take the Credential. -Craig Mr Mean wrote: I just remembered a little snag, this is not going to work because i currently use the context to ask if the component, class, model is authenticated by this context. So i really need it atm. Looks like i need to think this trough a little better. but first i gotta grab some sleep. Maurice On 6/9/07, craigdd [EMAIL PROTECTED] wrote: Sounds like a pretty good idea, I like that much better than having the user need to know they need to cleanup data state in their LoginContext. Another idea might be to have the LoginContext provide a method that returns a unique identifier. That value could be store internally and the user can pass anything they want, I'd assume the default would be to return the username which is completely fair to be in the session. Without looking too closely at the code you could also use this identifier during logout. -Craig Mr Mean wrote: Just thinking out loud here, but it shouldn't be too difficult to change this into holding a hash of the logincontext instead of the whole context. Since the equals contract already specifies that equal object should have equal hashes The equals check can be easily performed on the hash, HashMap actually uses the hash before it uses the equal, so i do not see much problems here. And it is not like you are gonna have an army of logincontexts in each session. Ill see if i can implement this sometime tomorrow. Thanks again for pointing this out, if you think there are more of this kind of problems just let me know. Maurice P.S. i guess an api for getting the original logincontext is out of the question then :) On 6/8/07, craigdd [EMAIL PROTECTED] wrote: Are you saying then that the instance of LoginContext used to login is held onto in the WASPSession, via the security framework? If so then this brings up a huge security issue, as least the way the API sits and the examples showing that a LoginContext takes a username and password in its constructor. This mean that a password(probably plain text) is available in the session which is usually a big no no when it comes to a secure application. I've been through a few security probes from banks on various online applications that that is one of the first thing they look for / ask. Are you holding onto the password? -Craig Mr Mean wrote: There is currently no way to grab the login context, so you could store it yourself (there migh be multiple logintexts though). But the good news is you don't have to store it if you don't want to. The logoff performs an equals check and currently every logincontext of the same class and level is equal to another. So if you login using a MySingleLoginContext(username, password) you can logoff with any new instance of that class (logoff(new MySingleLoginContext());) However if you feel you need to have access to the original instance, for instance because you want to know the username, i can always include such a method in the api. Maurice On 6/8/07, craigdd [EMAIL PROTECTED] wrote: I see that the WASPSession.logout method takes a LoginContext. Is there somewhere within the SWARM implementation to grab the LoginContext used to login? Or when logging in is it up to the developer to put the LoginContext somewhere...say maybe the session itself? Thanks Craig -- View this message in context: http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11018551 Sent from the Wicket - User mailing list archive at Nabble.com. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user -- View this message in context:
Re: [Wicket-user] WASPSession.logout(object)
I just remembered a little snag, this is not going to work because i currently use the context to ask if the component, class, model is authenticated by this context. So i really need it atm. Looks like i need to think this trough a little better. but first i gotta grab some sleep. Maurice On 6/9/07, craigdd [EMAIL PROTECTED] wrote: Sounds like a pretty good idea, I like that much better than having the user need to know they need to cleanup data state in their LoginContext. Another idea might be to have the LoginContext provide a method that returns a unique identifier. That value could be store internally and the user can pass anything they want, I'd assume the default would be to return the username which is completely fair to be in the session. Without looking too closely at the code you could also use this identifier during logout. -Craig Mr Mean wrote: Just thinking out loud here, but it shouldn't be too difficult to change this into holding a hash of the logincontext instead of the whole context. Since the equals contract already specifies that equal object should have equal hashes The equals check can be easily performed on the hash, HashMap actually uses the hash before it uses the equal, so i do not see much problems here. And it is not like you are gonna have an army of logincontexts in each session. Ill see if i can implement this sometime tomorrow. Thanks again for pointing this out, if you think there are more of this kind of problems just let me know. Maurice P.S. i guess an api for getting the original logincontext is out of the question then :) On 6/8/07, craigdd [EMAIL PROTECTED] wrote: Are you saying then that the instance of LoginContext used to login is held onto in the WASPSession, via the security framework? If so then this brings up a huge security issue, as least the way the API sits and the examples showing that a LoginContext takes a username and password in its constructor. This mean that a password(probably plain text) is available in the session which is usually a big no no when it comes to a secure application. I've been through a few security probes from banks on various online applications that that is one of the first thing they look for / ask. Are you holding onto the password? -Craig Mr Mean wrote: There is currently no way to grab the login context, so you could store it yourself (there migh be multiple logintexts though). But the good news is you don't have to store it if you don't want to. The logoff performs an equals check and currently every logincontext of the same class and level is equal to another. So if you login using a MySingleLoginContext(username, password) you can logoff with any new instance of that class (logoff(new MySingleLoginContext());) However if you feel you need to have access to the original instance, for instance because you want to know the username, i can always include such a method in the api. Maurice On 6/8/07, craigdd [EMAIL PROTECTED] wrote: I see that the WASPSession.logout method takes a LoginContext. Is there somewhere within the SWARM implementation to grab the LoginContext used to login? Or when logging in is it up to the developer to put the LoginContext somewhere...say maybe the session itself? Thanks Craig -- View this message in context: http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11018551 Sent from the Wicket - User mailing list archive at Nabble.com. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user -- View this message in context: http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11033924 Sent from the Wicket - User mailing list archive at Nabble.com. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your
Re: [Wicket-user] WASPSession.logout(object)
Sounds like a pretty good idea, I like that much better than having the user need to know they need to cleanup data state in their LoginContext. Another idea might be to have the LoginContext provide a method that returns a unique identifier. That value could be store internally and the user can pass anything they want, I'd assume the default would be to return the username which is completely fair to be in the session. Without looking too closely at the code you could also use this identifier during logout. -Craig Mr Mean wrote: Just thinking out loud here, but it shouldn't be too difficult to change this into holding a hash of the logincontext instead of the whole context. Since the equals contract already specifies that equal object should have equal hashes The equals check can be easily performed on the hash, HashMap actually uses the hash before it uses the equal, so i do not see much problems here. And it is not like you are gonna have an army of logincontexts in each session. Ill see if i can implement this sometime tomorrow. Thanks again for pointing this out, if you think there are more of this kind of problems just let me know. Maurice P.S. i guess an api for getting the original logincontext is out of the question then :) On 6/8/07, craigdd [EMAIL PROTECTED] wrote: Are you saying then that the instance of LoginContext used to login is held onto in the WASPSession, via the security framework? If so then this brings up a huge security issue, as least the way the API sits and the examples showing that a LoginContext takes a username and password in its constructor. This mean that a password(probably plain text) is available in the session which is usually a big no no when it comes to a secure application. I've been through a few security probes from banks on various online applications that that is one of the first thing they look for / ask. Are you holding onto the password? -Craig Mr Mean wrote: There is currently no way to grab the login context, so you could store it yourself (there migh be multiple logintexts though). But the good news is you don't have to store it if you don't want to. The logoff performs an equals check and currently every logincontext of the same class and level is equal to another. So if you login using a MySingleLoginContext(username, password) you can logoff with any new instance of that class (logoff(new MySingleLoginContext());) However if you feel you need to have access to the original instance, for instance because you want to know the username, i can always include such a method in the api. Maurice On 6/8/07, craigdd [EMAIL PROTECTED] wrote: I see that the WASPSession.logout method takes a LoginContext. Is there somewhere within the SWARM implementation to grab the LoginContext used to login? Or when logging in is it up to the developer to put the LoginContext somewhere...say maybe the session itself? Thanks Craig -- View this message in context: http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11018551 Sent from the Wicket - User mailing list archive at Nabble.com. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user -- View this message in context: http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11033924 Sent from the Wicket - User mailing list archive at Nabble.com. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take
[Wicket-user] WASPSession.logout(object)
I see that the WASPSession.logout method takes a LoginContext. Is there somewhere within the SWARM implementation to grab the LoginContext used to login? Or when logging in is it up to the developer to put the LoginContext somewhere...say maybe the session itself? Thanks Craig -- View this message in context: http://www.nabble.com/WASPSession.logout%28object%29-tf3887102.html#a11018551 Sent from the Wicket - User mailing list archive at Nabble.com. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
