[daisy] "Remember Me" functionality implementation proposal

Bruno Dumon bruno at outerthought.org
Fri Sep 15 04:22:28 CDT 2006 

Hi,

Thanks for the input, you've triggered some new interesting thoughts.

And I should indeed also have a look at things like JAAS.

However, I'm currently again busy with other stuff so expect a bit of
time to pass before I'll get back to this...

On Thu, 2006-09-14 at 11:53 -0400, Bob Rich wrote:
> Hey Bruno,
> 
> > Rather than extending the repository "hard-coded" with token-based
> > authentication, I would approach this by allowing to register new
> > credential types in the repository server. 
> This is a good idea.  It might be worth scanning PAM, GSS-API, and JAAS 
> to get an idea of what kind of interface would be reasonably adaptable 
> w/o requiring too much plumbing.  (For example, the current 
> getRepository(Credentials creds) does not provide an explicit 
> authentication result, which can be useful for things like exposing a 
> 'getToken()' type method)
> > So next to the built-in
> > username/password-based credentials, it would be possible to have other
> > credential types, and for now specifically token-based credentials.
> Speaking of which :)  If the current authentication scheme is just 
> 'username/password', would the new one be 'username/password/token', or 
> just 'token'?   If it's the latter, how would you expose the token 
> generation through the API?
> > A repository client can then use whatever sort of credentials it prefers,
> > as long as it is supported by the repository. 
> Do you think the repository should advertise the schemes it supports, or 
> just throw up if you try to use something it doesn't understand.
> > On the user record, it
> > should be possible to indicate which credential types are allowed (for
> > the case where you don't want to allow e.g. token-based access for
> > certain users).
> >   
> I think this might be more appropriate at a role level rather than a 
> user level.  For example, maybe it's ok for a user to assume the 'user' 
> role with token credentials, but maybe not for access to the 
> Administrator role (which may require current password, two factor, 
> cert, etc)
> 
> 
> > - to restore the active roles of the user, a separate cookie can be
> > maintained which keeps the list of active roles (there are no special
> > security issues with this).
> >   
> This does get outside of the 'pluggable authentication' domain a bit,  
> but would be a great option for 'Remember Me', so i think a separate 
> cookie is a good idea.
> > These are the basic ideas. Comments welcome.
> >
> >   
> These are basic comments, ignore freely. :)

-- 
Bruno Dumon                             http://outerthought.org/
Outerthought - Open Source, Java & XML Competence Support Center
bruno at outerthought.org                          bruno at apache.org

More information about the daisy mailing list