Jivespace: Message List - Users not being remembered

Re: Users not being remembered

communities@jivesoftware.com — Thu, 18 Dec 2008 13:25:40 GMT

Indeed, it is not a one line fixer and would require some testing effort. I am going to close this case for the time being. If you have additional questions about how the rememberMeServices works or about implementing this as a provider, feel free to reply to this thread to reopen the case or to open a new case.

Thanks,

Austen

Re: Users not being remembered

mrobinson@appcelerator.com — Mon, 15 Dec 2008 17:52:50 GMT

The solutions that you mention above seem non-trivial. Sometime in the future we will be moving to an SSO, It's likely that that will remove the problems we're having with the RememberMeServices. We might have to wait for persisted logins until we finish the new SSO login.

Re: Users not being remembered

communities@jivesoftware.com — Tue, 09 Dec 2008 14:34:29 GMT

How are things coming? Did you decide which route you plan on taking? Did you have any additional questions regarding my latest post?

Re: Users not being remembered

communities@jivesoftware.com — Fri, 05 Dec 2008 16:54:23 GMT

Sorry, I must have read over that a little too fast. I spoke with a colleague on my team who is a bit more experienced with CS 2.5 SSO integrations and he recommended that you implement this as a AuthenticationProvider rather than an authentication filter. Most SSO integrations do not have the need for the TokenBasedRememberMeServices.

Since you are just going against an external DB for authentication and using the default login page, this would be more suited to a provider. You would want to override this spring bean and replace the first three providers with a custom rolled one. The daoAuthenticationProvider would be a good starting reference:

<!-- List of authentication providers used by the authentication manager beans.
            Customized authentication providers can override this bean and re-define
            this list as needed.-->
    <bean id="authenticationProviderList" class="org.springframework.beans.factory.config.ListFactoryBean">
        <property name="sourceList">
            <list>
                <ref bean="jiveLdapAuthenticationProvider"/>
                <ref bean="daoAuthenticationProvider" />
                <ref bean="jiveLegacyAuthenticationProvider"/>
                <ref bean="rememberMeAuthenticationProvider"/>
                <ref bean="openfireAuthenticationProvider"/>
            </list>
        </property>
    </bean>

If you do decide to stick with the filter, you'll probably have to extend the JiveUserAuthentication to override that method to return a UsernamePasswordCredentials object.

Re: Users not being remembered

mrobinson@appcelerator.com — Fri, 05 Dec 2008 15:30:41 GMT

Just to clarify, I'm not actually returning null. It's happening inside Jive code (specifically the JiveUserAuthentication class). This is how the examples showed how to authenticate a user in my code:

                Authentication authentication = new JiveUserAuthentication(jiveUser);
                authentication.setAuthenticated(true);
                context.setAuthentication(authentication);

The bit in my previous post where getCredentials is returning null is from the Jive JiveUserAuthentication class.

Perhaps I could extend that class, but I'm not sure what the appropriate thing to return instead of null would be.

Re: Users not being remembered

communities@jivesoftware.com — Fri, 05 Dec 2008 13:38:40 GMT

Martin,

Do you need to return null here? This is required to be non-null for the remember me services, as you have pointed out. In order to build the cookie, it is necessary to get the credentials. If your Authentication's principal is an instance of UserDetails, it will retrieve the password from there. However, credentials must still be a non-null Object for this to work. Does it create a problem in your code if you do not return null?

Thanks,

Austen

Re: Users not being remembered

mrobinson@appcelerator.com — Tue, 02 Dec 2008 19:25:10 GMT

I've run into a problem with your suggestion. In the snippet of code you listed above (in TokenBasedRememberMeServices from the acegi security package) there is:

// Determine username and password, ensuring empty strings      
Assert.notNull(successfulAuthentication.getPrincipal());
Assert.notNull(successfulAuthentication.getCredentials());

Meanwhile in the JiveUserAuthentication class, which is type of Authentication instance I create in my plugin, I find this code:

    public Object getCredentials() {
        return null;
    }

Unfortunately, the second assertion fails and the loginSuccess method throws an exception.

Re: Users not being remembered

communities@jivesoftware.com — Wed, 26 Nov 2008 13:52:05 GMT

When you call the rememberMeServices loginSuccess method, this is saving the cookie for you. To create the cookie, it extracts the username and password out of the Authentication object. Here's a copy of that method:

    public void loginSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication successfulAuthentication) {
        // Exit if the principal hasn't asked to be remembered
        if (!rememberMeRequested(request, parameter)) {
            if (logger.isDebugEnabled()) {
                logger.debug("Did not send remember-me cookie (principal did not set parameter '" + this.parameter
                        + "')");
            }
 
            return;
        }
 
        // Determine username and password, ensuring empty strings
        Assert.notNull(successfulAuthentication.getPrincipal());
        Assert.notNull(successfulAuthentication.getCredentials());
 
        String username = retrieveUserName(successfulAuthentication);
        String password = retrievePassword(successfulAuthentication);
 
        // If unable to find a username and password, just abort as
        // TokenBasedRememberMeServices unable to construct a valid token in
        // this case
        if (!StringUtils.hasLength(username) || !StringUtils.hasLength(password)) {
            return;
        }
 
        long expiryTime = System.currentTimeMillis() + (tokenValiditySeconds * 1000);
 
        // construct token to put in cookie; format is:
        // username + ":" + expiryTime + ":" + Md5Hex(username + ":" +
        // expiryTime + ":" + password + ":" + key)
        String signatureValue = DigestUtils.md5Hex(username + ":" + expiryTime + ":" + password + ":" + key);
        String tokenValue = username + ":" + expiryTime + ":" + signatureValue;
        String tokenValueBase64 = new String(Base64.encodeBase64(tokenValue.getBytes()));
        response.addCookie(makeValidCookie(tokenValueBase64, request, tokenValiditySeconds));
 
        if (logger.isDebugEnabled()) {
            logger
                    .debug("Added remember-me cookie for user '" + username + "', expiry: '" + new Date(expiryTime)
                            + "'");
        }
    }

Once this cookie is established, the rememberMeProcessingFilter will attempt to log you in using the rememberMeServices autoLogin method. Under the covers, this method will load the password for the user and created a hashed cookie to compare to the hashed cookie that is passed along in the request. If the two match, you are authenticated and auto logged in.

Re: Users not being remembered

mrobinson@appcelerator.com — Tue, 25 Nov 2008 23:27:24 GMT

Austen,

Thanks for the info. We are implementing your suggestions right away. Do you mind clarifying though, what you mean here:

When you do this, you must make sure that the password hash that you store in the cookie is the same as is stored in the DB, otherwise the rememberMeProcessingFilter will fail to authenticate you from the stored cookie.

At what point should be putting the password hash into a cookie? This wasn't previously part of our authentication filter and I don't see it happening in the code you just mentioned either. Thanks again.

Re: Users not being remembered

communities@jivesoftware.com — Tue, 25 Nov 2008 22:35:22 GMT

Okay, so here is what I found:

The remember me bug with Tomcat only affects IE users and is definitely a problem only in Tomcat 6.0.18 and above.
Your authentication filter needs a small change in order for the remember me to work

There are two changes needed to make this work. First thing that you'll need to do is inject the rememberMeServices into your Filter. Second, after you have authenticated, you'll need to call the rememberMeServices.loginSuccess(HttpServletRequest, HttpServletResponse, Authentication). When you do this, you must make sure that the password hash that you store in the cookie is the same as is stored in the DB, otherwise the rememberMeProcessingFilter will fail to authenticate you from the stored cookie.

Please let me know if you have any questions about this.