rememberme doesn't work in sample web application

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

rememberme doesn't work in sample web application

Csaba Nemeth
As it looks like the sample web application should work with remember-me functionality by default.

Here is what I try:
 I click login
 I select remember-me checkbox, enter username/password and successfully login
 I can visit the 'account' page
 I restart browser and visit home page, it looks like I am still logged in
 when I try to access the 'account' page I am given a login page as if I wasn't logged in.

Am I missing something?
Shouldn't this work out of the box?

I tried with 9.0 final and 1.0 snapshot - both work the same way.

Thanks,
Csaba
Reply | Threaded
Open this post in threaded view
|

Re: rememberme doesn't work in sample web application

Les Hazlewood-2
Hi Csaba,

It did work prior to 9.0 final, but there were some changes/moves with all the sample applications that might cause it to fail.  There is currently a Jira issue to ensure that all sample apps run successfully, as a sanity check, before releasing 1.0.

Of course, we'd love to have any contributions you might have that point out where something is failing!  I'm very appreciative of any feedback you may have.

Best,

Les

On Mon, Feb 2, 2009 at 5:05 PM, Csaba Nemeth <[hidden email]> wrote:

As it looks like the sample web application should work with remember-me
functionality by default.

Here is what I try:
 I click login
 I select remember-me checkbox, enter username/password and successfully
login
 I can visit the 'account' page
 I restart browser and visit home page, it looks like I am still logged in
 when I try to access the 'account' page I am given a login page as if I
wasn't logged in.

Am I missing something?
Shouldn't this work out of the box?

I tried with 9.0 final and 1.0 snapshot - both work the same way.

Thanks,
Csaba
--
View this message in context: http://n2.nabble.com/rememberme-doesn%27t-work-in-sample-web-application-tp2260537p2260537.html
Sent from the JSecurity User mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|

Re: rememberme doesn't work in sample web application

Csaba Nemeth
Hi Les,

I debugged the filter and rememberme manager.
Probably I misunderstand something.

Should the rememberme manager recreate the subject as authenticated user, or just validate the cookie content, recreate the subject with roles, but not mark it as authenticated?

The information what the home page displays suggests that the user is valid (logged in) on server side - as it shows the username and roles. But than again it is a sample application.

So the change needed in the sample app is to show the username in the login window that was displayed during a non-authenticated acccess to the protected 'account' page with a valid principal in the session, and perhaps display on the home page that the subject is not authenticated?

Thanks,
Csaba

Les Hazlewood-2 wrote
Hi Csaba,

It did work prior to 9.0 final, but there were some changes/moves with all
the sample applications that might cause it to fail.  There is currently a
Jira issue to ensure that all sample apps run successfully, as a sanity
check, before releasing 1.0.

Of course, we'd love to have any contributions you might have that point out
where something is failing!  I'm very appreciative of any feedback you may
have.

Best,

Les

On Mon, Feb 2, 2009 at 5:05 PM, Csaba Nemeth <csaba_nemeth@yahoo.ca> wrote:

>
> As it looks like the sample web application should work with remember-me
> functionality by default.
>
> Here is what I try:
>  I click login
>  I select remember-me checkbox, enter username/password and successfully
> login
>  I can visit the 'account' page
>  I restart browser and visit home page, it looks like I am still logged in
>  when I try to access the 'account' page I am given a login page as if I
> wasn't logged in.
>
> Am I missing something?
> Shouldn't this work out of the box?
>
> I tried with 9.0 final and 1.0 snapshot - both work the same way.
>
> Thanks,
> Csaba
> --
> View this message in context:
> http://n2.nabble.com/rememberme-doesn%27t-work-in-sample-web-application-tp2260537p2260537.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: rememberme doesn't work in sample web application

Les Hazlewood-2
Hi Csaba,

The RemberMeManager will _not_ mark a Subject as authenticated.  Authentication is the act of proving you are who you say you are.  When a user is remembered, the system has a good idea who the user is, but this is not actual proof.

Please see this for an explanation of why:

http://www.jsecurity.org/api/org/jsecurity/authc/RememberMeAuthenticationToken.html

So you can be 'remembered', but not authenticated.  Authentication state is only retained during the session when they actually authenticated.  If that session is stopped or expired, so is their authentication status.

The JavaDoc above should explain why you should still see your name and have roles and permission access, but still be required to log in if you try to access a 'security sensitive' part of the application.

I hope that helps :)

Cheers,

Les

On Tue, Feb 3, 2009 at 10:19 AM, Csaba Nemeth <[hidden email]> wrote:

Hi Les,

I debugged the filter and rememberme manager.
Probably I misunderstand something.

Should the rememberme manager recreate the subject as authenticated user, or
just validate the cookie content, recreate the subject with roles, but not
mark it as authenticated?

The information what the home page displays suggests that the user is valid
(logged in) on server side - as it shows the username and roles. But than
again it is a sample application.

So the change needed in the sample app is to show the username in the login
window that was displayed during a non-authenticated acccess to the
protected 'account' page with a valid principal in the session, and perhaps
display on the home page that the subject is not authenticated?

Thanks,
Csaba


Les Hazlewood-2 wrote:
>
> Hi Csaba,
>
> It did work prior to 9.0 final, but there were some changes/moves with all
> the sample applications that might cause it to fail.  There is currently a
> Jira issue to ensure that all sample apps run successfully, as a sanity
> check, before releasing 1.0.
>
> Of course, we'd love to have any contributions you might have that point
> out
> where something is failing!  I'm very appreciative of any feedback you may
> have.
>
> Best,
>
> Les
>
> On Mon, Feb 2, 2009 at 5:05 PM, Csaba Nemeth <[hidden email]>
> wrote:
>
>>
>> As it looks like the sample web application should work with remember-me
>> functionality by default.
>>
>> Here is what I try:
>>  I click login
>>  I select remember-me checkbox, enter username/password and successfully
>> login
>>  I can visit the 'account' page
>>  I restart browser and visit home page, it looks like I am still logged
>> in
>>  when I try to access the 'account' page I am given a login page as if I
>> wasn't logged in.
>>
>> Am I missing something?
>> Shouldn't this work out of the box?
>>
>> I tried with 9.0 final and 1.0 snapshot - both work the same way.
>>
>> Thanks,
>> Csaba
>> --
>> View this message in context:
>> http://n2.nabble.com/rememberme-doesn%27t-work-in-sample-web-application-tp2260537p2260537.html
>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>
>>
>
>

--
View this message in context: http://n2.nabble.com/rememberme-doesn%27t-work-in-sample-web-application-tp2260537p2263828.html
Sent from the JSecurity User mailing list archive at Nabble.com.