| Login Box default user name [message #878453] |
Tue, 29 May 2012 10:41  |
|
In my project, I'm using a copy of the LDAPSecurityFilter to prompt users for username and password before executing an LDAP query to authenticate the user. That part works. The client now wants the last username used to be shown in the LoginDialog upon startup. I think this ought to be the default behaviour (and I've seen it in other Scout projects) but it doesn't work for me. The question is: Where do I start looking?
The .../user/.settings/org.eclipse.scout.rt.client.prefs file does not contain the username (and in the other Scout project I looked at, this was where it was stored). Thus, as far as I can tell, the username is not being cached in the first place.
Assuming I need to write this code myself, I'm looking for some guidance: Will I need to create a copy of the InternalNetAuthenticator (ie. all of the classes in org.eclipse.scout.rt.ui.swing.login.internal) in order to cache the username myself?
Cheers
Alex
|
|
|
| Re: Login Box default user name [message #878464 is a reply to message #878453] |
Tue, 29 May 2012 11:14  |
 Ivan Motsch
Messages: 154
Registered: March 2010 |
Senior Member |
|
|
Basically according to the OWASP security guidelines usernames and passwords should never be cached or held in a cookie.
If you are using Web-Browser:
However if the "last" username should be shown before the user logged in, then there must be some browser cookie that tells the server who the user is.
If no such cookie is available or the user chooses another browser/machine then there will be no information.
Otherwise the server can match the cookie id to a cache of cookie-id / username and send a www-user info back to the browser for login.
If you are using rich client:
The basic reason why there is no such user store is that a rich client per se can manage multiple url connections. So which username to cache?
What can be done however: You can tell the NetAuthenticator which username to use for a certain url by
1. Make sure the authenticator is allowed to use caching by setting the config.ini property:
java.net.authenticate.cache.enabled=true
2. Since you don't want to save the password, but only the username, manually save the username once
the user logged in successfully. Therefore in your ClientSession.execLoad method add code just after the first call to the backend (most often a ping service call).
public class ClientSession{
...
@Override
public void execLoadSession() throws ProcessingException {
//sample code
try{...
URL serverUrl = new URL(getBundle().getBundleContext().getProperty("server.url"));
setServiceTunnel(new HttpServiceTunnel(this, serverUrl.toExternalForm(), (String) getBundle().getHeaders().get("Bundle-Version")));
SERVICES.getService(IPingService.class).ping("ping");
//after the ping call to the server - if we got here - the user is valid and the shared context variables is synchronized with the server.
String validUserId = getUserId();
SecurePreferencesUtility.storeCredentials(serverUrl.getHost() + serverUrl.getPath(), validUserId, "");
}
catch(...){
...
}
}
}
3. next time the client starts and accesses this url path, the InternalNetAuthenticator will check the secure preferences store and show up with a pre-filled username.
[Updated on: Tue, 29 May 2012 11:17] Report message to a moderator |
|
|
| Re: Login Box default user name [message #878490 is a reply to message #878464] |
Tue, 29 May 2012 12:23 |
|
Thank you for the reply. It turns out that this doesn't quite work as expected because of the "LoginDialog.savePassword" checkbox at the bottom of the LoginDialog. In addition to that, using the empty string as a password didn't work -- effectively the real password was kept.
It seems to me that I will have to create a copy of the InternalNetAuthenticator (and thus of the other classes in org.eclipse.scout.rt.ui.swing.login.internal) in order to cache the username myself.
|
|
|
| Re: Login Box default user name [message #896789 is a reply to message #878453] |
Thu, 19 July 2012 19:01 |
Boy D'Poy
Messages: 67
Registered: October 2011 |
Member |
|
|
Hi!
<<In my project, I'm using a copy of the LDAPSecurityFilter to prompt users for username and password before executing an LDAP query to authenticate the user. That part works>>
This is what I'm trying to do with no success.
I took a look tu this page [ http : //wiki . eclipse . rg /Scout/ Concepts/ Security#LDAPSecurityFilter] but things remains unclear, because even when parameters to set are told, we since don't know where to put them, in the server's config.ini , the rap client's one, both ....?
Should we keep or not the extensions in both server and client plugins, even in rap ui plugins ? no answer... ;(
So that, You'll be very helpful if I could get a step by step guide to make my firs LDAP athentication box appear.
From my side, I removed the extension point org.eclipse.scout.http.servletfilter.filters both from my server and client plugins and put
### Authentication
org.eclipse.scout.http.servletfilter.security.AnonymousSecurityFilter#active=false
org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#active=false
org.eclipse.scout.http.servletfilter.security.LDAPSecurityFilter#active=true
#LDAP
org.eclipse.scout.http.servletfilter.security.LDAPSecurityFilter#active=true
org.eclipse.scout.http.servletfilter.security.LDAPSecurityFilter#realm=developmnet
org.eclipse.scout.http.servletfilter.security.LDAPSecurityFilter#failover=false
in these both config.ini files and the application runs fine ... but not securely what I know to be wrong ;(
Thank you!
Once You Go Scout, You Never Come Out!
|
|
|
| Re: Login Box default user name [message #897149 is a reply to message #896789] |
Sun, 22 July 2012 15:39 |
Eclipse User |
|
|
|
A few words about security in Scout RAP applications.
Wording:
RAP Server: The Eclipse Scout Client part running in a web container on a server.
Server: The Eclipse Scout Server part running in a web container on a server.
ServletFilters can be applied to either the RAP Server servlet or the Server servlet. The usual way is to protect the first backend access of a client. In RAP applications it is the browser call to the RAP Server. It's a good idea to have a separate servlet on the Server for requests from RAP Server and Rich Clients.
An example:
Server:
/process servlet for rich clients
security filter for rich client requests
<extension
point="org.eclipse.scout.http.servletfilter.filters">
<filter
aliases="/web"
class="org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter"
ranking="20">
</filter>
</extension>
/ajax servlet for RAP Server requests
NO SECURITY FILTER a security subject is expected on the request
RAP Server:
/web servlet
security filter for browser requests
<extension
name=""
point="org.eclipse.scout.http.servletfilter.filters">
<filter
aliases="/process /remotefiles /updatesite"
class="org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter"
ranking="20">
</filter>
</extension>
Configuration:
- <application name>.ui.rap/products/[development|production]/config.ini
server.url=http://localhost:8080/security/ajax
org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#active=true
org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#realm=security Development
org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#users=web\=web
- <application name>.server/products/[development|production]/config.ini
org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#active=true
org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#realm=security Development
org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#users=rich\=rich
Note:
If you create a new Scout Project with RAP support using an Eclipse Juno for Scout developers the setup is exactly as described. The only thing you have to do is to set 'org.eclipse.scout.http.servletfilter.security.AnonymousSecurityFilter#active=false' and 'org.eclipse.scout.http.servletfilter.security.BasicSecurityFilter#active=true' in RAP Server and Server product files.
-andreas
|
|
|
Powered by
FUDForum. Page generated in 0.03540 seconds
] 
Search
Help
Register
Login
Home
