Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "I-Card Service Web App vs CardSync Web App Authentication"
(→Authentication with AccessToken) |
|||
Line 7: | Line 7: | ||
==Authentication with AccessToken== | ==Authentication with AccessToken== | ||
+ | [Paul: Is this explaining about the I-Card Service Web App or about the CardSync Web App? Or is this something common to both? I'm lost already] | ||
+ | |||
Authentication workflow: | Authentication workflow: | ||
#Obtain an AccessToken by using AuthCredentialTO (signIn). | #Obtain an AccessToken by using AuthCredentialTO (signIn). |
Revision as of 00:23, 1 July 2009
{{#eclipseproject:technology.higgins|eclipse_custom_style.css}}
This page compares the authentication implementations used by two important Higgins services.
Note: All web services (Rest/JAX-WS/JAX-RPC) may/should be deployed into one web app. The latest CardSync build includes all I-Card Server WS endpoints. [Paul: I don't understand these two sentences; please elaborate]
Contents
Authentication with AccessToken
[Paul: Is this explaining about the I-Card Service Web App or about the CardSync Web App? Or is this something common to both? I'm lost already]
Authentication workflow:
- Obtain an AccessToken by using AuthCredentialTO (signIn).
- Request protected data by using AccessToken.Id, Selector client has to pass AccessToken.Id by using authorization http header with prefix HWS
"Authorization: HWS <Access Token Identifier>"
. - Delete AccessToken (signOut).
AccessTokenTO
AccessTokenTO contain the following fields:
- String id - token identifier
- Date issuedTime - issued date time
- Integer maxIdleTime - max idle time in seconds
- Integer maxLiveTime - maximum live time in seconds
Access Token will be deleted automatically on server side:
- if it isn't used more than idle timeout;
- if maximum live time expires (difference between creation time and current server time)
Projects:
- org.eclipse.higgins.sync.auth.IAuthenticateService defines the API for managing AccessToken entities.
- org.eclipse.higgins.sync.auth.ehcache project implements IAuthenticateService by using EhCache libraries.
- org.eclipse.higgins.user.login.LoginService defines the API for validating user credentials.
- org.eclipse.higgins.user.idas project implements LoginService by using hibernate CP.
I-card Server Web App
I-card Server Web App have two JAX-RPS WS endpoints.
- RPPSService requires to send username/password every time. (Deprecated)
- SCRPPSService requires to use authentication with AccessToken.
Selector client has to:
- Invoke signIn WS method by using AuthCredentialTO.
- Invoke protected WS operations by using AccessToken.Id.
- Invoke signOut WS method.
CardSync Web App
Both CardSync endpoints Rest(/rs/) and JAX-WS (/ws/CardSync) support authentication with AccessToken. Rest selector client has to:
- POST AuthCredentialTO to "/AuthCredential" (signIn).
- GET/PUT/POST/DELETE protected data by using AccessToken.Id.
- DELETE AccessToken (signOut).
Login modules
Both I-Card Server Web App and CardSynch Web App delegate the validation of user credentials to the LoginService. It includes two login modules for validating user password.
- First validates clean user password (old selector send clean user password to server)
- Second validates sha-256 password hash (Serialized selector client send sha-256 password hash)
Auth Credential type
Both web apps support username/password credentials UsernamePasswordAuthCredentialTO and serialized client credentials SelectorAuthCredentialTO.
Add new Auth Credentials type
The following steps have to be done for supporting new Auth Credentials type:
- Define new AuthCredentialTO
- Implement new login modules for validating that credentials.
- Fix signIn method for supporting new Auth Credentials type.
- Add WS methods for associate new Auth Credentials with user account (optional).
- Add WS method for creating new user account by using new Auth Credentials type (optional).
For example, if we're going to support authentication with a SAML token, we have to also add a method for retrieving policy.
Single sign on logout
Authentication with AccessToken may implement single sign on log out pattern. I'm not sure, but i thing we shouldn't restrict active user sessions. For example user may use few selector clients from laptop and iphone or android phone in the same time.
Online/Offline user status
We may use AccessToken for checking online/offline user status. it may be useful for sending some user notifications in r-card forkflow.
However, we also may use "comet" http://en.wikipedia.org/wiki/Comet_(programming) pattern instead.