You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

Status

Proposal under development

Special Note

Google Summer of Code 2008 project

Target Release

4.1

Original Authors

Tatyana Tokareva, Dave Johnson

Abstract

This project aims to add OpenID support to Roller both for user accounts and for those leaving blog comments. Make it so that new and existing users can choose to tie their user account to an OpenID identity and use that for all subsequent logins. And, make it so that bloggers can require that folks login via OpenID before leaving a comment. These features could be implemented by modifying Roller's existing Spring Acegi configuration and/or by documenting how to use a Container Manager Authentication (CMA) configuration, e.g. OpenSSO paired with a Servlet Container.
It's quite evident that the number of online user accounts increases rapidly. It's almost impossible to remember logins and passwords on each website, and that's why systems that use authentication servers have valuable priority. As far as the Roller blog server is an application which provides access to different blog sites, and all of them require authorization, it can be very useful to reduce the amount of logins at different services to minimum. It can be done by implementing the OpenID identification to the server.

Benefits for the community

The main aim of the project is to increase the efficiency of the authentication and authorization processes at the Roller blog server by managing logon to several services and users' identity in one place via an authentication server with OpenID technology. Using this technology, we'll achieve cross-application and cross-domain single sign-on (SSO). As a result, the users will be more satisfied as they won't have to remember logins and passwords from every website, and just use single OpenID identifier. And the number of people using Roller blog will increase.
With the fulfillment of the objectives previously exposed, the community will see beneficiary in the following aspects:

  1. Support single logon for user accounts and for users who leave blog comments;
  2. Existing users will be able to tie their accounts to the OpenID identity for further use;
  3. New users will have to provide only OpenID identity for further identification;
  4. If the user is not logged-in and wants to leave a comment, the system will redirect him to the login page;
  5. Integration of the new authorization system to the existing one, which is built on Spring Acegi framework;
  6. Support for multiple profiles (for example, provide different names and info at different services).
  7. Roller system will be automatically notified when users change their info on other sites - will always have actual information.

Requirements

  1. Allow new users to register and login via OpenID
  2. Allow existing users to login via OpenID i.e. by associating a Roller user account with an Open ID identity
  3. Allow those who wish to leave comments to login via OpenID
  4. Allow users to associate multiple OpenID accounts with one Roller account i.e. associate multiple Open ID identities with one Roller user

Issues

Should the user have a choice of which opened_url to use during authentication?
If the user can have multiple opened_urls, there should be some additional functionality on the page where the user can edit its profile details - add or remove certain opened_url from the list - and adjusted database structure should be implemented.
Another issue is the registration of the new user: the user will be asked whether he wants to use openid or not. If not, he will be redirected to the usual registration page. In other case, he will input his openid and redirected to his openIDProvider to authenticate, then, some of the information will be received from user's profile and if necessary, he will be asked to provide some special information. At the same time when the user comes to the website for the first time, he can authenticate using openid and the new account will be automatically created. So, do we need two forms of creating a new user?

Design

  • Authentication technologies to be used:
  • Database changes - add a new database table userattributes. It should consist of three columns: user_id, attributename and attributevalue. So, with such changes in the database scheme any other authentication system which requires some user attributes can use this database table.
  • Update to the Spring 2.0 with built-in OpenID support.
  • Change Acegi Authentication filters in security.xml file - add an openID AuthenticationProcessingFilter to redirect the user to the OpenID Provider website. If the user enters the valid opened url, it redirects the user to the opened-provider page and then to the registration page and prefills page inputs with user info, received from the opened-provider. In case of error, the filter redirects the user to the registration page with error.
  • Add Spring Security bean openIDAuthProvider to security.xml, which uses RollerUserDetailsService
  • List of classes to which the new functionality will be added:
    • org.apache.roller.weblogger.User.java - add the list of openids and method of casting openid to the canonical view (so in the database it will be stored in the predefined format)
      • String castToCanonical(String url)
    • Create a new POJO class UserAttributes which will represent the userattributes database table.
    • Modify class JPAUserManagerImpl.java - add method and methods connected with receiving an username and managing his openIDs, for instance:
      • User getUserByOpenIDUrl (openid_url) - returns instance of user by the verified openid_url
      • GetOpenIDsByUser(user_id) - returns the list of openid's that belong to one user
      • AttachOpenID(openid_url, user_id) - add openid url to the user's profile
      • DetachOpenID(openid_url, user_id) - delete certain openid url from the user's profile
      • DetachOpenIDsByUser(user_id) - delete all openIDs from the user's profile
  • Modify Register and UIAction action classes - add functionality to prefilling inputs on register page.
  • Add work with cookies - to preload openid_url for user convenience
  • Add a new form with openid-url input, to the login.jsp page and openid-url input on the edit user profile page.

Project Plan

  1. Examine the application structure and the features of the existing authorization system, built using the Spring Acegi framework. Understand, what types of security filters are used and how they can be replaced. Outline, what features to change and what to edit in the existing system.
  2. Plan the main functionality of the project and install required libraries to the system.
  3. Release the main functionality - add necessary classes, scripts, database tables and Spring Security filters.
  4. Change the visual interface of the application (add authentication prompt to ask users for their OpenID identifier rather than their username and password).
  5. Test the system and write necessary documentation.

Timeline

  • 26th of May
    • Initial planning of the project and research
    • Deliverable: Document of detailed description of the project.
  • August, 11th
    • To this point the code of the application will be given.
    • Deliverable: Coding necessary to implement the OpenID authentication
  • August, 18th (deadline)
    • In this point, corrections would be done that make lack to the previous code.
    • Deliverable: Documentation on the project.

Comments

Please comment on the Roller-dev mailing list.

  • No labels