 |
|
|
Hi,
Speaking of authentication... :) I have been playing around with some
ideas for a RESTful, secure login.
What do you think?
General
1. JavaScript is required on the client (and server)
2. Client and Server share the same JavScript hash (sha1) code.
Server:
* appSessions: A 2 dimensional array (for java,
java.util.TreeMap) [[timestamp, someRandomThing]] with length=30
(default, but modifiable) which has the oldest entry removed and a new
entry added every minute. In other words, the length of the array is
the server side timeout. Perhaps 'someRandomThing' needs to come from
a central authority for load balancing?? This has nothing to do with
client state - so it's RESTful, right?
Client:
* Ability to use custom login form
* Ability to logout by submitting login form with invalid
credentials
* Ability to forget/reset password
GET request for secure resource from unauthenticated user
1. remoteIp: get the remote IP
2. mostRecentEntry: get the most recent entry from the 2d array
* timestamp
* someRandomThing
3. salt: sha1(remoteIp + someRandomThing)
GET response
4. send auth request back to client with the following headers:
* STAMP = timestamp
* BITE = salt
* REALM = something
* CODE: 3 // log in tries??
5. client stores the headers with JavaScript
6. client/user interaction
a. Present login form - page/thickbox/whatev...
b. user enters username and password -> submits form
c. credentials: sha1(BITE + sha1(username:REALM:password))
d. send GET request: {
headers: {
STAMP: STAMP,
CREDS: credentials,
CODE: 3 // log in tries??
}
parameters: {
username: username
}
}
GET Auth request
7. use the STAMP header to get 'someRandomThing' if it still
exists (otherwise user session has timed out)
8. salt: sha1(remoteIp + someRandomThing)
9. existingCreds = user.getCredentials()
10. if (CREDS == sha1(salt + existingCreds)) {
redirect to secure resource
} else {
send error unauthorized
send auth request back to client with the following headers:
* STAMP = timestamp
* BITE = salt
* REALM = something
* CODE: 2 // log in tries??
}
QUESTION: Will the client remote IP be the same between request-
>response->request??
|
|
| |
These Archives are provided for informational purposes only and have been generated directly from the Altova mailing list archive system and are comprised of the lists set forth on www.altova.com/list/index.html. Therefore, Altova does not warrant or guarantee the accuracy, reliability, completeness, usefulness, non-infringement of intellectual property rights, or quality of any content on the Altova Mailing List Archive(s), regardless of who originates that content. You expressly understand and agree that you bear all risks associated with using or relying on that content. Altova will not be liable or responsible in any way for any content posted including, but not limited to, any errors or omissions in content, or for any losses or damage of any kind incurred as a result of the use of or reliance on any content. This disclaimer and limitation on liability is in addition to the disclaimers and limitations contained in the Website Terms of Use and elsewhere on the site.
| |
| |
|
|
|
