Zope 3 wiki Developer Info Proposals
last edited 3 months ago by kevingill2
created: 2008-04-10

Session Credentials API Enhancements

Session Credentials API Enhancements

Status: IsDraftProposal
Author: Kevin Gill

Motivation(s)

Require an API for logging in a user automatically. The mailing list identified a number of other related requirements. Some items were added or expanded due to usefulness in Zope2.

  1. Support remote IP restricted logins
  2. Support domain specific logins
  3. Encrypt Password
  4. Application overriding credentials from request
  5. Tracking of 'logged in' users

Problem(s)

Secure authentication scenarios require access to be limited to a single IP Address or set of IP Addresses. The Session Credential plugin should take responsibility for extracting and returning the authentication IP Address. [This proposal does not including updating the principal folder to use the IP address.]

Some scenarios use a 'domain' and provide the login within that specific domain (e.g. a company and users belonging to that company). [ This proposal does not include updating the principal and group folders to implement domain based login grouping. ]

For security reasons the password should be encrypted while in the session store.

The application needs an API so that it can set the credentials for a session programmatically, i.e. as part of the sign up process.

For monitoring purposes, it is useful to know who is currently 'logged in'. For strict security is important to logout idle users.

Proposal

IP Extraction

Extract the IP Address from the credentials and store it. Return the IP Address in the dictionary from extractCredentials().

The value from request.environment['HTTP_X_FORWARDED_FOR'] will be used if present. otherwise request.environment['REMOTE_ADDR'].

IP restrictions are not implemented. The Session Credentials Plugin now supports extracting and returning the information.

Domain

The Session Credentials can optionally provide a 'domain' value. Where the domain is used the domain should be stored in the client using a cookie, so that it can default.

Domain based principals are not implemented. The Session Credentials Plugin now supports extracting and returning the information.

Encrypt password

The Session Credentials should use of an IPasswordManager class to encrypt the password (if configured).

The extractCredentials method will return the PasswordManager as part of the credentials dictionary.

The SessionCredentials class will provide a method to provide the PasswordManager so that applications which store passwords can use the same encryption.

The user interface will provide a mechanism for selecting an PasswordManager?.

The system should be able to recover from the event of conflicting PasswordManagers being selected on the PrincipalFolder and the Session Credentials Plugin

Application Overriding Login Credentials

The ICredentialsPlugin.extractCredentials method will have a new parameter, overrides.

overrides will provide a dictionary containing ('login', 'password', 'ip' and 'domain') which will override the same values in the request object if they are present in the request object.

The class will use a full set of credentials from either the request or storage. It will not mix them.

A helper method will be provided to find the SessionCredentials plugin.

Tracking of Logged in Users

The credentials data, stored for the session shall have two new values stored to support tracking of this information:

  • extractTime
  • accessTime

The extractTime shall be the time that the credentials were actually extracted.

The accessTime shall be the last time that the credentials were recovered. Updates shall have a granularity of 60 seconds so that the session data is not updated unnecessarily frequently. accessTime is only maintained if an idle time out is specified (see below).

Report of logged in users

A new adapter shall be written which can trawl the session records in the session store and locate records for logged in users. The adapter shall return a list of all logged in users, (login, extractTime and accessTime).

A UI change will provide a simple view on logged in users.

Idle time out

The SessionCredential plugin is the component which is aware of the length of a session. The SessionCredential plugin can implement a timeout if the session is idle. This effectively does a server side logout of users who have not accessed the system for a configured interval. [A javascript snippet will still be required to close the page on the client browser).

There would be a UI change to enable Idle timeout.

Miscellaneous

The extractCredentials() method return values should extended to include a flag (logging_in) which can distinguish between the request from which the credentials were extracted an subsequent requests that involved holding the credentials in the session. This can facilitate better error reporting.

The extractCredentials() method return values should include the request-annotations which were saved on the login request.

Demonstration Code

A demonstration implementation has been checked into the zope subversion repository at the following location:

svn://svn.zope.org/repos/main/Sandbox/kevingill2/zope.app.authentication

Of via browser:

http://svn.zope.org/Sandbox/kevingill2/zope.app.authentication/



( 95 subscribers )