Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » scout » Login Box default user name
Login Box default user name [message #878453] Tue, 29 May 2012 10:41 Go to next message
Alex Schroeder is currently offline Alex SchroederFriend
Messages: 38
Registered: February 2010
Location: Zürich, Switzerland
Member

In my project, I'm using a copy of the LDAPSecurityFilter to prompt users for username and password before executing an LDAP query to authenticate the user. That part works. The client now wants the last username used to be shown in the LoginDialog upon startup. I think this ought to be the default behaviour (and I've seen it in other Scout projects) but it doesn't work for me. The question is: Where do I start looking?

The .../user/.settings/org.eclipse.scout.rt.client.prefs file does not contain the username (and in the other Scout project I looked at, this was where it was stored). Thus, as far as I can tell, the username is not being cached in the first place.

Assuming I need to write this code myself, I'm looking for some guidance: Will I need to create a copy of the InternalNetAuthenticator (ie. all of the classes in org.eclipse.scout.rt.ui.swing.login.internal) in order to cache the username myself?

Cheers
Alex
Re: Login Box default user name [message #878464 is a reply to message #878453] Tue, 29 May 2012 11:14 Go to previous messageGo to next message
Ivan Motsch is currently offline Ivan MotschFriend
Messages: 100
Registered: March 2010
Senior Member
Basically according to the OWASP security guidelines usernames and passwords should never be cached or held in a cookie.

If you are using Web-Browser:
However if the "last" username should be shown before the user logged in, then there must be some browser cookie that tells the server who the user is.

If no such cookie is available or the user chooses another browser/machine then there will be no information.

Otherwise the server can match the cookie id to a cache of cookie-id / username and send a www-user info back to the browser for login.


If you are using rich client:
The basic reason why there is no such user store is that a rich client per se can manage multiple url connections. So which username to cache?

What can be done however: You can tell the NetAuthenticator which username to use for a certain url by


1. Make sure the authenticator is allowed to use caching by setting the config.ini property:
java.net.authenticate.cache.enabled=true

2. Since you don't want to save the password, but only the username, manually save the username once
the user logged in successfully. Therefore in your ClientSession.execLoad method add code just after the first call to the backend (most often a ping service call).

public class ClientSession{
      ...
    @Override
    public void execLoadSession() throws ProcessingException {
      //sample code
      try{...
        URL serverUrl = new URL(getBundle().getBundleContext().getProperty("server.url"));
        setServiceTunnel(new HttpServiceTunnel(this, serverUrl.toExternalForm(), (String) getBundle().getHeaders().get("Bundle-Version")));
        SERVICES.getService(IPingService.class).ping("ping");
        //after the ping call to the server - if we got here - the user is valid and the shared context variables is synchronized with the server.
        String validUserId = getUserId();
        SecurePreferencesUtility.storeCredentials(serverUrl.getHost() + serverUrl.getPath(), validUserId, "");
      }
      catch(...){
      ...
      }

    }
}


3. next time the client starts and accesses this url path, the InternalNetAuthenticator will check the secure preferences store and show up with a pre-filled username.

[Updated on: Tue, 29 May 2012 11:17]

Report message to a moderator

Re: Login Box default user name [message #878490 is a reply to message #878464] Tue, 29 May 2012 12:23 Go to previous messageGo to next message
Alex Schroeder is currently offline Alex SchroederFriend
Messages: 38
Registered: February 2010
Location: Zürich, Switzerland
Member

Thank you for the reply. It turns out that this doesn't quite work as expected because of the "LoginDialog.savePassword" checkbox at the bottom of the LoginDialog. In addition to that, using the empty string as a password didn't work -- effectively the real password was kept.

It seems to me that I will have to create a copy of the InternalNetAuthenticator (and thus of the other classes in org.eclipse.scout.rt.ui.swing.login.internal) in order to cache the username myself.
Re: Login Box default user name [message #896789 is a reply to message #878453] Thu, 19 July 2012 19:01 Go to previous messageGo to next message
Boy D'Poy is currently offline Boy D'PoyFriend
Messages: 56
Registered: October 2011
Member
Hi!

<<In my project, I'm using a copy of the LDAPSecurityFilter to prompt users for username and password before executing an LDAP query to authenticate the user. That part works>>

This is what I'm trying to do with no success.

I took a look tu this page [ http : //wiki . eclipse . rg /Scout/ Concepts/ Security#LDAPSecurityFilter] but things remains unclear, because even when parameters to set are told, we since don't know where to put them, in the server's config.ini , the rap client's one, both ....?

Should we keep or not the extensions in both server and client plugins, even in rap ui plugins ? no answer... ;(

So that, You'll be very helpful if I could get a step by step guide to make my firs LDAP athentication box appear.

From my side, I removed the extension point org.eclipse.scout.http.servletfilter.filters both from my server and client plugins and put

### Authentication
org.eclipse.scout.http.servletfilter.security.AnonymousSecurityFilter#active=false
org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#active=false
org.eclipse.scout.http.servletfilter.security.LDAPSecurityFilter#active=true

#LDAP
org.eclipse.scout.http.servletfilter.security.LDAPSecurityFilter#active=true
org.eclipse.scout.http.servletfilter.security.LDAPSecurityFilter#realm=developmnet
org.eclipse.scout.http.servletfilter.security.LDAPSecurityFilter#failover=false

in these both config.ini files and the application runs fine ... but not securely what I know to be wrong ;(

Thank you!


Once You Go Scout, You Never Come Out!
Re: Login Box default user name [message #897149 is a reply to message #896789] Sun, 22 July 2012 15:39 Go to previous message
Andreas Hoegger is currently offline Andreas HoeggerFriend
Messages: 174
Registered: February 2010
Senior Member
A few words about security in Scout RAP applications.

Wording:
RAP Server: The Eclipse Scout Client part running in a web container on a server.
Server: The Eclipse Scout Server part running in a web container on a server.

ServletFilters can be applied to either the RAP Server servlet or the Server servlet. The usual way is to protect the first backend access of a client. In RAP applications it is the browser call to the RAP Server. It's a good idea to have a separate servlet on the Server for requests from RAP Server and Rich Clients.

An example:
Server:
  /process servlet for rich clients
    security filter for rich client requests
    <extension
      point="org.eclipse.scout.http.servletfilter.filters">
      <filter
        aliases="/web"
        class="org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter"
        ranking="20">
      </filter>
  </extension>
  /ajax servlet for RAP Server requests
    NO SECURITY FILTER a security subject is expected on the request
RAP Server:
  /web servlet
    security filter for browser requests
    <extension
      name=""
      point="org.eclipse.scout.http.servletfilter.filters">
      <filter
        aliases="/process /remotefiles /updatesite"
        class="org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter"
        ranking="20">
      </filter>
   </extension>


Configuration:
- <application name>.ui.rap/products/[development|production]/config.ini
  server.url=http://localhost:8080/security/ajax
  org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#active=true
  org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#realm=security Development
  org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#users=web\=web
- <application name>.server/products/[development|production]/config.ini
  org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#active=true
  org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#realm=security Development
  org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#users=rich\=rich


Note:


If you create a new Scout Project with RAP support using an Eclipse Juno for Scout developers the setup is exactly as described. The only thing you have to do is to set 'org.eclipse.scout.http.servletfilter.security.AnonymousSecurityFilter#active=false' and 'org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#active=true' in RAP Server and Server product files.

-andreas
Previous Topic:Main menu in SWT client
Next Topic:Deploy a standalone application on a pc
Goto Forum:
  


Current Time: Wed Nov 26 15:28:38 GMT 2014

Powered by FUDForum. Page generated in 0.01663 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software