[daisy] "Remember Me" functionality implementation proposal

Bob Rich rrich at gstisecurity.com
Thu Sep 14 10:53:42 CDT 2006 

Hey Bruno,

> Rather than extending the repository "hard-coded" with token-based
> authentication, I would approach this by allowing to register new
> credential types in the repository server. 
This is a good idea.  It might be worth scanning PAM, GSS-API, and JAAS 
to get an idea of what kind of interface would be reasonably adaptable 
w/o requiring too much plumbing.  (For example, the current 
getRepository(Credentials creds) does not provide an explicit 
authentication result, which can be useful for things like exposing a 
'getToken()' type method)
> So next to the built-in
> username/password-based credentials, it would be possible to have other
> credential types, and for now specifically token-based credentials.
Speaking of which :)  If the current authentication scheme is just 
'username/password', would the new one be 'username/password/token', or 
just 'token'?   If it's the latter, how would you expose the token 
generation through the API?
> A repository client can then use whatever sort of credentials it prefers,
> as long as it is supported by the repository. 
Do you think the repository should advertise the schemes it supports, or 
just throw up if you try to use something it doesn't understand.
> On the user record, it
> should be possible to indicate which credential types are allowed (for
> the case where you don't want to allow e.g. token-based access for
> certain users).
>   
I think this might be more appropriate at a role level rather than a 
user level.  For example, maybe it's ok for a user to assume the 'user' 
role with token credentials, but maybe not for access to the 
Administrator role (which may require current password, two factor, 
cert, etc)


> - to restore the active roles of the user, a separate cookie can be
> maintained which keeps the list of active roles (there are no special
> security issues with this).
>   
This does get outside of the 'pluggable authentication' domain a bit,  
but would be a great option for 'Remember Me', so i think a separate 
cookie is a good idea.
> These are the basic ideas. Comments welcome.
>
>   
These are basic comments, ignore freely. :)

More information about the daisy mailing list