Versions Compared

Old Version 11

changes.mady.by.user David Johnson

Saved on

compared with

New Version 12

changes.mady.by.user David Johnson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Support single logon for user accounts and for users who leave blog comments;
  2. Existing users will be able to tie their accounts to the OpenID identity for further use;
  3. New users will have to provide only OpenID identity for further identification;
  4. If the user is not logged-in and wants to leave a comment, the system will redirect him to the login page;
  5. Integration of the new authorization system to the existing one, which is built on Spring Acegi framework;
  6. Support for multiple profiles (for example, provide different names and info at different services).
  7. Roller system will be automatically notified when users change their info on other sites - will always have actual information.

Requirements

  1. Add OpenID support to Roller for user logins
  2. Create a new database table with two columns: string openid_url, int user_id, where user_id is a foreign key which points to the table users and opened_url is a user's OpenID identifier. There should be primary key on openid_url and index on user_id.
  3. Functionality for redirecting the user to his OpenID provider website
  4. Verify the OpenID provider response, for new users - send them to Roller registration flow and pre-fill any registration info which will be received from their OpenID provider.
  5. Modify sign-up page (registration flow) - don't ask for a password if the user is going to sign in with OpenID.
  6. For existing users - attach the verified OpenID to their account (when they use it for the first time).
  7. A new web page (or additional ui objects on the existing page) to manage a user's attached OpenIDs (add and delete).
  8. Allow new users to register and login via OpenID
  9. Allow existing users to login via OpenID i.e. by associating a Roller user account with an Open ID identity
  10. Allow those who wish to leave comments to login via OpenID
  11. Allow users to associate multiple OpenID accounts with one Roller account i.e. associate multiple Open ID identities with one Roller user

Issues

Should the user have a choice of which opened_url to use during authentication?
If the user can have multiple opened_urls, there should be some additional functionality on the page where the user can edit its profile details - add or remove certain opened_url from the list - and adjusted database structure should be implemented.
Another issue is the registration of the new user: the user will be asked whether he wants to use openid or not. If not, he will be redirected to the usual registration page. In other case, he will input his openid and redirected to his openIDProvider to authenticate, then, some of the information will be received from user's profile and if necessary, he will be asked to provide some special information. At the same time when the user comes to the website for the first time, he can authenticate using openid and the new account will be automatically created. So, do we need two forms of creating a new user?

...

  • Authentication technologies to be used:
  • Database changes - add a new database table userattributes. It should consist of three columns: user_id, attributename and attributevalue. So, with such changes in the database scheme any other authentication system which requires some user attributes can use this database table.userid_openid_url
  • Change Acegi Authentication filter in security.xml file - add a new filter to redirect the user to the OpenID Provider website
  • List of classes to which the new functionality will be added:
    • org.apache.roller.weblogger.User.java - add the list of openids and method of casting openid to the canonical view (so in the database it will be stored in the predefined format)
      • String castToCanonical(String url)
    • Create a new POJO class UserAttributes which will represent the userattributes database table.Create a new class OpenIDConnector where implement methods to establish connection with the openid provider, requesting authentication and handling the response.
      • String getProviderURL(String opened_url) - returns Provider's URL to send request
      • void sendRedirect(String provider_url) - redirects the user to the Provider's website
      • UserDetails getParameters() - get user profile information
      • void verifyResponse(HttpServletRequest httpReq) - verify Provider's response
    • Modify classes Authenticator.java, JPAUserManagerImpl.java and JPAPersistenceStrategy.java - add methods to connect to the OpenID provider and receive response, and methods connected with receiving an instance of the user and managing his openIDs, for instance:
      • int getUserId(openid_url) - returns userid by the verified openid_url
      • GetOpenIDsByUser(user_id) - returns the list of openid's that belong to one user
      • AttachOpenID(openid_url, user_id) - add openid url to the user's profile
      • DetachOpenID(openid_url, user_id) - delete certain openid url from the user's profile
      • DetachOpenIDsByUser(user_id) - delete all openIDs from the user's profile
  • For some of the actions I should add work with cookies - to preload openid_url for user convenienceAdd new Struts Actions and Forms - for establishing the connection with opened provider website and receiving the response from it.

Project Plan

  1. Examine the application structure and the features of the existing authorization system, built using the Spring Acegi framework. Understand, what types of security filters are used and how they can be replaced. Outline, what features to change and what to edit in the existing system.
  2. Examine what technologies and frameworks to use in this project (JSF, Struts). Java Server Faces technology will be used for writing the code for client/server collaboration in the web application.
  3. Plan the main functionality of the project and install required libraries to the system.
  4. Release the main functionality - add necessary classes and scripts.
  5. Change the visual interface of the application (add authentication prompt to ask users for their OpenID identifier rather than their username and password).
  6. Release the option of storing users' preferences indicating whether they want to approve the authentication with the website 'temporarily', 'always' or 'not at all'.
  7. Explore ways to establish a shared-secret with the OpenID provider (it is the alternate way of security protection - in Spring Acegi technology it is provided by Filters), through association from the application and write scripts that allow the system to redirect user's identifiers to the OpenID Provider and receive response.
  8. Test the system and write necessary documentation.

...