Login via tokens?

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Login via tokens?

Gerrit Berkouwer
Hi all,

logging in via tokens would be a secure way to use Hippo CMS. Is anyone using this already?
--
Greetz, Gerrit
Reply | Threaded
Open this post in threaded view
|

Re: Login via tokens?

Berry van Halderen-2
On Tue, Apr 20, 2010 at 11:23 PM, Gerrit Berkouwer
<[hidden email]> wrote:
> logging in via tokens would be a secure way to use Hippo CMS. Is anyone
> using this already?

There are some efforts underway to implement Single Sign On using a
generic approach that allows any pluggable authorization based on the
JAAS interface.  This would allow you to put in token based login,
one-time passwords, or any other kind of authorization.

\Berry
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Login via tokens?

Gerrit Berkouwer
*Bump*

Any new developments in this area? Does anyone see any problem when trying to use RSA SecurID (http://en.wikipedia.org/wiki/SecurID) to login to the CMS? Has it been done before?
--
Greetz, Gerrit
Reply | Threaded
Open this post in threaded view
|

Re: Login via tokens?

Wouter Danes-2
As long as there is a JAAS interface to the authentication service, it should be no problem.
Given that it's two-factor authentication, you'd have to relay the authentication to some external service (redirect?) and then make sure there's an authority somewhere that can be reached from the CMS server.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Gerrit Berkouwer
Sent: woensdag 25 juli 2012 8:50
To: [hidden email]
Subject: Re: [Hippo-cms7-user] Login via tokens?

*Bump*

Any new developments in this area? Does anyone see any problem when trying to use RSA SecurID (http://en.wikipedia.org/wiki/SecurID) to login to the CMS? Has it been done before?



-----
--
Greetz, Gerrit
--
View this message in context: http://hippo.2275632.n2.nabble.com/Login-via-tokens-tp4933800p7578860.html
Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Login via tokens?

Jerome Mirc
In reply to this post by Gerrit Berkouwer
Hi Gerrit,

I already implemented this functionality for a project using JAAS. The only way that I found was to create the following classes:
   - TokenAuthenticationFilter - used to retrieve the token and to call the JAAS login. i.e.
               new LoginContext("HSTSITE", subject, new TokenAuthCallbackHandler(parameters...));
   - TokenAuthCallbackHandler - implements CallbackHandler and keeps parameters used by LoginModule to  identify the user
   - TokenLoginModule - implements LoginModule. use this file inside the new login.conf that you will create
   - TokenHttpServletRequestWrapper - implements HttpServletRequestWrapper used to overidde the getUserPrincipal() method previously set by the TokenAuthenticationFilter.

Also, you can use the spring security plugin that offers more flexibility than JASS to implement this kind of feature.

Jérôme.
 
Ard
Reply | Threaded
Open this post in threaded view
|

Re: Login via tokens?

Ard
Hello Jérôme,

On Wed, Jul 25, 2012 at 9:39 PM, Jerome Mirc <[hidden email]> wrote:

> Hi Gerrit,
>
> I already implemented this functionality for a project using JAAS. The only
> way that I found was to create the following classes:
>    - TokenAuthenticationFilter - used to retrieve the token and to call the
> JAAS login. i.e.
>                new LoginContext("HSTSITE", subject, new
> TokenAuthCallbackHandler(parameters...));
>    - TokenAuthCallbackHandler - implements CallbackHandler and keeps
> parameters used by LoginModule to  identify the user
>    - TokenLoginModule - implements LoginModule. use this file inside the new
> login.conf that you will create
>    - TokenHttpServletRequestWrapper - implements HttpServletRequestWrapper
> used to overidde the getUserPrincipal() method previously set by the
> TokenAuthenticationFilter.

Do you see room in the HST for improvement to make it easier to
achieve the above? Some extension point that was missing?

Regards Ard

>
> Also, you can use the spring security plugin that offers more flexibility
> than JASS to implement this kind of feature.
>
> Jérôme.
>
>
>
>
> --
> View this message in context: http://hippo.2275632.n2.nabble.com/Login-via-tokens-tp4933800p7578877.html
> Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Login via tokens?

Jerome Mirc
This post was updated on .
Hi Ard,

I am not aware of the room feature. Could you point me where I can find more information?

Thanks

Jérôme
Reply | Threaded
Open this post in threaded view
|

Re: Login via tokens?

Jeroen Reijn
Administrator
Hi Jerome,

Ard means that he is wondering if you think that there is anything in
the HST that could be improved to make support for this kind of
functionality more easy.

Cheers,

Jeroen

On Thu, Jul 26, 2012 at 1:01 PM, Jerome Mirc <[hidden email]> wrote:

> Hi Ard,
>
> I am not aware of the room feature. Could you point me where I can find more
> information?
>
> Thanks
>
> Jérôme
>
>
>
> --
> View this message in context: http://hippo.2275632.n2.nabble.com/Login-via-tokens-tp4933800p7578882.html
> Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html



--
Jeroen Reijn
Solution Architect
Hippo

Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com

http://about.me/jeroenreijn
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Login via tokens?

Jerome Mirc
This post was updated on .
Hi  Jeroen, Ard,

At least, one week before going on vacation. ;-)

Actually, HST uses JAAS for the authentication and it is a good solution when you need a simple username/password authentication and your authentication information is saved within a database, a LDAP or any unique external source.

Once, the authentication process is more complex or you need to add an additional validations and you need to access to the HttpServlet or HttpResponse, JAAS could be used but you need as I did create additional classes.

The decision that I took for new projects is to use Spring Security when the authentication process requires additional functionals requirements. These additional requirements are for me:
  - remembers me
  - two phase login (authentication and validation on two different sources). See - Hippo CMS - Konakart project on github
  - authentication using a token
 
HST is already based on Spring and adding the support of Spring Security will not break the spirit of the architecture.

What do you think?

Jérôme.




Reply | Threaded
Open this post in threaded view
|

Re: Login via tokens?

Woonsan Ko-3
On 7/27/12 6:58 AM, Jerome Mirc wrote:

> Hi  Jeroen, Ard,
>
> At least, one week before going on vacation. ;-)
>
> Actually, HST uses JAAS for the authentication and it is a good solution
> when you need a simple username/password authentication and your
> authentication information is saved within a database, a LDAP or any unique
> external source.
>
> Once, the authentication process is more complex or you need to add an
> additional validations and you need to access to the HttpServlet or
> HttpResponse, JAAS could be used but you need as I did create additional
> classes.
>
> The decision that I took for new projects is to use Spring Security when the
> authentication process requires additional functionals requirements. These
> additional requirements are for me:
>    - remembers me
>    - two phase login (authentication and validation on two different
> sources). See -  https://github.com/jmirc/Hippo-CMS-Konakart Hippo CMS -
> Konakart project  on github
>    - authentication using a token
>
> HST is already based on Spring and adding the support of Spring Security
> will not break the spirit of the architecture.
>
> What do you think?

I like your architectural choice.
And, I think we will integrate spring security with HST-2 in the end. I
have already discussed this with other developers before, so I think it
is just a matter of time.
Anyway, in the end, developers can take advantage of the most
functionality* of spring security seamlessly with HST-2. So, I think it
is okay for you to use spring security and the forge project for now.

Cheers,

Woonsan

* The authentication part (remember me, all kind of login features,
etc.) of the spring security can be seamlessly integrated. The
authorization part is still questionable, by the way.

>
> Jérôme.
>
>
>
>
>
>
>
>
> --
> View this message in context: http://hippo.2275632.n2.nabble.com/Login-via-tokens-tp4933800p7578892.html
> Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html
>


--
[hidden email]     www.onehippo.com
Boston - 1 Broadway, Cambridge, MA 02142
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Ard
Reply | Threaded
Open this post in threaded view
|

Re: Login via tokens?

Ard
Thanks for your feedback and insights Jerome. I have nothing to add to
the comments from Woonsan as he knows much more about the subject than
I do

Regards Ard

On Fri, Jul 27, 2012 at 9:32 PM, Woonsan Ko <[hidden email]> wrote:

> On 7/27/12 6:58 AM, Jerome Mirc wrote:
>>
>> Hi  Jeroen, Ard,
>>
>> At least, one week before going on vacation. ;-)
>>
>> Actually, HST uses JAAS for the authentication and it is a good solution
>> when you need a simple username/password authentication and your
>> authentication information is saved within a database, a LDAP or any
>> unique
>> external source.
>>
>> Once, the authentication process is more complex or you need to add an
>> additional validations and you need to access to the HttpServlet or
>> HttpResponse, JAAS could be used but you need as I did create additional
>> classes.
>>
>> The decision that I took for new projects is to use Spring Security when
>> the
>> authentication process requires additional functionals requirements. These
>> additional requirements are for me:
>>    - remembers me
>>    - two phase login (authentication and validation on two different
>> sources). See -  https://github.com/jmirc/Hippo-CMS-Konakart Hippo CMS -
>> Konakart project  on github
>>    - authentication using a token
>>
>> HST is already based on Spring and adding the support of Spring Security
>> will not break the spirit of the architecture.
>>
>> What do you think?
>
>
> I like your architectural choice.
> And, I think we will integrate spring security with HST-2 in the end. I have
> already discussed this with other developers before, so I think it is just a
> matter of time.
> Anyway, in the end, developers can take advantage of the most functionality*
> of spring security seamlessly with HST-2. So, I think it is okay for you to
> use spring security and the forge project for now.
>
> Cheers,
>
> Woonsan
>
> * The authentication part (remember me, all kind of login features, etc.) of
> the spring security can be seamlessly integrated. The authorization part is
> still questionable, by the way.
>
>
>>
>> Jérôme.
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> View this message in context:
>> http://hippo.2275632.n2.nabble.com/Login-via-tokens-tp4933800p7578892.html
>> Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
>> _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html
>>
>
>
> --
> [hidden email]     www.onehippo.com
>
> Boston - 1 Broadway, Cambridge, MA 02142
> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
> US +1 877 414 4776 (toll free)
> Europe +31(0)20 522 4466
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html