Hi Miguel, I'm glad to have helped out. And I think keeping the concepts of activation separate from authentication is smart - they are technically orthogonal operations that have little to do with each other.
Cheers, Les On Fri, Feb 5, 2010 at 2:33 PM, mcohnen <[email protected]> wrote: > Hi Les, > > Thank you VERY MUCH for such a great, fast and clear explanation. I'm > developing just a simple application and never thought of the consecuences > of fake "email clicks". What I will do, thanks to your exaplantions, is > login the user once he registers, but I will not activate it. Therefor, if > he clicks the activation email later on, all I do is activating the account, > and if the user is logged (same session), he'll be still logged. > > Thank you again! > > On Fri, Feb 5, 2010 at 8:25 PM, Les Hazlewood-2 [via Shiro User] <[hidden > email]> wrote: >> >> Hi Miguel, >> >> Authentication is the act of proving an identity. If you don't >> require proof of their identity, then the user won't, by definition, >> be authenticated. What if that email was viewed and clicked by >> someone other than the user who registered? This is very possible and >> happens more than you might think, especially with spambot systems. >> >> Suggestion # 1: >> >> The way I've solved this myself is to actually perform a login on the >> user's behalf when they click that link. How do I do that? When >> they're registering on the site at first, they enter in an email >> address and password. I'll store that password (encrypted of course) >> in their session. When they click on the link, assuming that they do >> so during the same session as when they signed up (which is the large >> majority of cases), then I automatically call subject.login with the >> values stored in the session. >> >> If they click the link after their session has expired, they're forced >> to log-in to the site, performing a real authentication. This >> paradigm is much more secure than automatically assuming a user is >> authenticated without requiring their credentials. >> >> Suggestion # 2: >> >> If you don't like #1, you could easily create something like a >> RegistrationKeyLoginToken - maybe a subclass of UsernamePasswordToken >> that also retains a secret key that is obtained from the HTTP request >> (usually a URL parameter). When the user access that URL, you >> transparently call subject.login with that Token instance with the >> secret key. >> >> When your Realm implementation receives the token in your >> doGetAuthenticationInfo implementation, you can see if it is the >> RegistrationKeyLoginToken and then check to see if the tokens match. >> If so, just return the AuthenticationInfo as if they had logged in >> with a password. If the token is not a RegistrationKeyLoginToken, >> perform the lookup based on username/password as normal. >> >> I personally would never use # 2 as I don't trust unencrypted email as >> a secure enough mechanism to auto-login my user. It's up to you >> though depending on your needs :) >> >> HTH, >> >> Les >> >> On Fri, Feb 5, 2010 at 1:52 PM, mcohnen <[hidden email]> wrote: >> > >> > Hi! >> > >> > I'm using the shiro plugin with grails and I'm wondering if it's >> > possible to >> > perform a login (authentication) without knowing an user's password. I >> > want >> > to do that, so that when the user clicks on his confirmation email, I >> > can >> > automatically login him if the confirmation was successful. >> > >> > Any ideas about this? >> > >> > Thank you! >> > -- >> > View this message in context: >> > http://n2.nabble.com/Authenticating-without-knowing-user-s-password-Is-it-possible-tp4521499p4521499.html >> > Sent from the Shiro User mailing list archive at Nabble.com. >> > > > > > -- > Un saludo, > Miguel Cohnen de la Cámara > > ________________________________ > View this message in context: Re: Authenticating without knowing user's > password. Is it possible? > Sent from the Shiro User mailing list archive at Nabble.com. >
