Versions Compared

Old Version 13

changes.mady.by.user Unknown User (tokareva@cs.vsu.ru)

Saved on

compared with

New Version 14

changes.mady.by.user Unknown User (tokareva@cs.vsu.ru)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Authentication technologies to be used:
  • Database changes - add a new database table userattributes. It should consist of three columns: user_id, attributename and attributevalue. So, with such changes in the database scheme any other authentication system which requires some user attributes can use this database table.
  • Update to the Spring 2.0 with built-in OpenID support.
  • Change Acegi Authentication filter filters in security.xml file - add a new filter an openID AuthenticationProcessingFilter to redirect the user to the OpenID Provider website. If the user enters the valid opened url, it redirects the user to the opened-provider page and then to the registration page and prefills page inputs with user info, received from the opened-provider. In case of error, the filter redirects the user to the registration page with error.
  • Add Spring Security bean openIDAuthProvider to security.xml, which uses RollerUserDetailsService
  • List of classes to which the new functionality will be added:
    • org.apache.roller.weblogger.User.java - add the list of openids and method of casting openid to the canonical view (so in the database it will be stored in the predefined format)
      • String castToCanonical(String url)
    • Create a new POJO class UserAttributes which will represent the userattributes database table.
    • Create a new class OpenIDConnector where implement methods to establish connection with the openid provider, requesting authentication and handling the response.
      • String getProviderURL(String opened_url) - returns Provider's URL to send request
      • void sendRedirect(String provider_url) - redirects the user to the Provider's website
      • UserDetails getParameters() - get user profile information
      • void verifyResponse(HttpServletRequest httpReq) - verify Provider's response
    • Modify classes Authenticator.java, JPAUserManagerImpl.java and JPAPersistenceStrategy.java - add methods to connect to the OpenID provider and receive response, and Modify class JPAUserManagerImpl.java - add method and methods connected with receiving an instance of the user username and managing his openIDs, for instance:
      • int getUserIdUser getUserByOpenIDUrl (openid_url) - returns userid instance of user by the verified openid_url
      • GetOpenIDsByUser(user_id) - returns the list of openid's that belong to one user
      • AttachOpenID(openid_url, user_id) - add openid url to the user's profile
      • DetachOpenID(openid_url, user_id) - delete certain openid url from the user's profile
      • DetachOpenIDsByUser(user_id) - delete all openIDs from the user's profile
  • Modify Register and UIAction action classes - add functionality to prefilling inputs on register page.
  • Add For some of the actions I should add work with cookies - to preload openid_url for user convenience
  • Add new Struts Actions and Forms - for establishing the connection with opened provider website and receiving the response from ita new form with openid-url input, to the login.jsp page and openid-url input on the edit user profile page.

Project Plan

  1. Examine the application structure and the features of the existing authorization system, built using the Spring Acegi framework. Understand, what types of security filters are used and how they can be replaced. Outline, what features to change and what to edit in the existing system.
  2. Examine what technologies and frameworks to use in this project (JSF, Struts). Java Server Faces technology will be used for writing the code for client/server collaboration in the web application.
  3. Plan the main functionality of the project and install required libraries to the system.
  4. Release the main functionality - add necessary classes and scripts, scripts, database tables and Spring Security filters.
  5. Change the visual interface of the application (add authentication prompt to ask users for their OpenID identifier rather than their username and password).
  6. Release the option of storing users' preferences indicating whether they want to approve the authentication with the website 'temporarily', 'always' or 'not at all'.
  7. Explore ways to establish a shared-secret with the OpenID provider (it is the alternate way of security protection - in Spring Acegi technology it is provided by Filters), through association from the application and write scripts that allow the system to redirect user's identifiers to the OpenID Provider and receive response.
  8. Test the system and write necessary documentation.

...

  • 26th of May
    • Initial planning of the project and research
    • Deliverable: Document of detailed description of the project.
  • August, 11th July, 7th (midterm)
    • To this point the code of the application will be given.
    • Deliverable: Coding necessary to implement the OpenID authentication
  • August, 11th 18th (endtermdeadline)
    • In this point, corrections would be done that make lack to the previous code.
    • Deliverable: Documentation on the project.

...