Remember me question

[Peter Ledbrook <pe...@cacoethes.co.uk>]

Hi,

I've just been asked this on the Grails mailing list:

  I am using the jsec plugin, but I dont want my users to have to
authenticate every time - I want if they check the remember me
checkbox to "auto-login" the user next time they come to the site for
say 2 weeks (which is a common way sites around the web do signing in)
- how can I do that with jsecurity?

What's the preferred way of doing this? Is it possible?

Thanks,

Peter

Re: Remember me question

[Les Hazlewood <le...@hazlewood.com>]

Also, to reiterate - JSecurity can perform role or permission checks for any
user, whether they are authenticated or not.  This is why the Authorizer
interface (and by extension, the Realm interface) only takes in a
PrincipalCollection, which has no knowledge of current authentication or
session state.  It just answers "does user x have role y or permission z".

Yet another way to say this is that authorization operations are purely
orthoganal to authentication or session operations in JSecurity.

On Fri, Jul 18, 2008 at 12:34 PM, Les Hazlewood <le...@hazlewood.com> wrote:

> This is really an end-user decision, based on how they write their
> application.
>
> JSecurity only requires authentication if the end-user requires it, i.e. if
> they use
>
> <jsec:authenticated> tag lib
>
> or the authc filter for a url.
>
> So, if they configure either of those, JSecurity will enforce it.
>
> The key is that authentication by definition is the verification of a
> user's identity.  If you auto-login a user, you're not verifying their
> identity, thus it cannot be called authentication.  We can call that
> auto-login if we like, but it is most definitely not authentication ;)
>
> Remember Me is supposed to address this - it is essentially auto-login.
>
> So, ultimately, if they don't want to force a user to authenticate if
> they're not already authenticated, they shouldn't use the
> <jsec:authenticated> tag or authc filter.  They should use the
> <jsec:remembered> and remembered filters instead.
>
> Does that help?
>
>
> On Fri, Jul 18, 2008 at 12:26 PM, Peter Ledbrook <pe...@cacoethes.co.uk>
> wrote:
>
>> Hi,
>>
>> I've just been asked this on the Grails mailing list:
>>
>>  I am using the jsec plugin, but I dont want my users to have to
>> authenticate every time - I want if they check the remember me
>> checkbox to "auto-login" the user next time they come to the site for
>> say 2 weeks (which is a common way sites around the web do signing in)
>> - how can I do that with jsecurity?
>>
>> What's the preferred way of doing this? Is it possible?
>>
>> Thanks,
>>
>> Peter
>>
>
>

Re: Remember me question

[Les Hazlewood <le...@hazlewood.com>]

This is really an end-user decision, based on how they write their
application.

JSecurity only requires authentication if the end-user requires it, i.e. if
they use

<jsec:authenticated> tag lib

or the authc filter for a url.

So, if they configure either of those, JSecurity will enforce it.

The key is that authentication by definition is the verification of a user's
identity.  If you auto-login a user, you're not verifying their identity,
thus it cannot be called authentication.  We can call that auto-login if we
like, but it is most definitely not authentication ;)

Remember Me is supposed to address this - it is essentially auto-login.

So, ultimately, if they don't want to force a user to authenticate if
they're not already authenticated, they shouldn't use the
<jsec:authenticated> tag or authc filter.  They should use the
<jsec:remembered> and remembered filters instead.

Does that help?

On Fri, Jul 18, 2008 at 12:26 PM, Peter Ledbrook <pe...@cacoethes.co.uk>
wrote:

> Hi,
>
> I've just been asked this on the Grails mailing list:
>
>  I am using the jsec plugin, but I dont want my users to have to
> authenticate every time - I want if they check the remember me
> checkbox to "auto-login" the user next time they come to the site for
> say 2 weeks (which is a common way sites around the web do signing in)
> - how can I do that with jsecurity?
>
> What's the preferred way of doing this? Is it possible?
>
> Thanks,
>
> Peter
>

Re: Remember me question

[Jeremy Haile <jh...@fastmail.fm>]

Which programattically translates to:

jsec:guest -> subject.getPrincipal() == null
This is a completely unauthenticated user who is not remembered.  All  
role and permission checks will fail.

jsec:user -> subject.getPrincipal() != null
This is a user who may be authenticated or remembered.  Role and  
permission checks are allowed.

jsec:authenticated -> subject.isAuthenticated() == true
This is a user who has authenticated during the current session.  Role  
and permission checks are allowed.




On Jul 18, 2008, at 12:53 PM, Les Hazlewood wrote:

> Yep, just for completeness or for those interested, in order of  
> level of
> restriction, from least restrictive to most restrictive, it is:
>
> jsec:guest < jsec:user < jsec:authenticated
>
> On Fri, Jul 18, 2008 at 12:49 PM, Les Hazlewood <le...@hazlewood.com>  
> wrote:
>
>> I think the confusion here may be that, unless I'm reading the  
>> grails-user
>> list comments incorrectly, that the Grails plugin enforces that a  
>> user must
>> be authenticated in order for it to perform a role or permission  
>> check.
>> This shouldn't be the case if the Grails plugin is to mirror the  
>> JSecurity
>> framework functionality.
>>
>>
>> On Fri, Jul 18, 2008 at 12:45 PM, Jeremy Haile <jh...@fastmail.fm>  
>> wrote:
>>
>>> Peter,
>>>
>>> Remember Me is extremely easy to setup and use with JSecurity.
>>>
>>> Just set the rememberMe property true in UsernamePasswordToken when
>>> authenticating.  Or if you are using a custom token, make sure it  
>>> implements
>>> RememberMeAuthenticationToken and returns true for isRememberMe().
>>>
>>> The effect will be that when the user revisits your site  
>>> getPrincipals()
>>> will return their principals, but isAuthenticated() will return  
>>> false (since
>>> they haven't acutally authenticated this session)
>>>
>>> The <jsec:user/> tag (not <jsec:remembered/> which was renamed)  
>>> will only
>>> render if principals are not-null, such as when the user is  
>>> remembered.
>>>
>>> For web URL rules, the "user" rule allows access if the user is  
>>> known
>>> (principals aren't null).  Whereas "authc" requires them to have  
>>> actually
>>> authenticated this session.
>>>
>>> Does that make sense?  If not, please ask more questions!
>>>
>>> Jeremy
>>>
>>>
>>>
>>>
>>> On Jul 18, 2008, at 12:26 PM, Peter Ledbrook wrote:
>>>
>>> Hi,
>>>>
>>>> I've just been asked this on the Grails mailing list:
>>>>
>>>> I am using the jsec plugin, but I dont want my users to have to
>>>> authenticate every time - I want if they check the remember me
>>>> checkbox to "auto-login" the user next time they come to the site  
>>>> for
>>>> say 2 weeks (which is a common way sites around the web do  
>>>> signing in)
>>>> - how can I do that with jsecurity?
>>>>
>>>> What's the preferred way of doing this? Is it possible?
>>>>
>>>> Thanks,
>>>>
>>>> Peter
>>>>
>>>
>>>
>>

Re: Remember me question

[Les Hazlewood <le...@hazlewood.com>]

Yep, just for completeness or for those interested, in order of level of
restriction, from least restrictive to most restrictive, it is:

jsec:guest < jsec:user < jsec:authenticated

On Fri, Jul 18, 2008 at 12:49 PM, Les Hazlewood <le...@hazlewood.com> wrote:

> I think the confusion here may be that, unless I'm reading the grails-user
> list comments incorrectly, that the Grails plugin enforces that a user must
> be authenticated in order for it to perform a role or permission check.
> This shouldn't be the case if the Grails plugin is to mirror the JSecurity
> framework functionality.
>
>
> On Fri, Jul 18, 2008 at 12:45 PM, Jeremy Haile <jh...@fastmail.fm> wrote:
>
>> Peter,
>>
>> Remember Me is extremely easy to setup and use with JSecurity.
>>
>> Just set the rememberMe property true in UsernamePasswordToken when
>> authenticating.  Or if you are using a custom token, make sure it implements
>> RememberMeAuthenticationToken and returns true for isRememberMe().
>>
>> The effect will be that when the user revisits your site getPrincipals()
>> will return their principals, but isAuthenticated() will return false (since
>> they haven't acutally authenticated this session)
>>
>> The <jsec:user/> tag (not <jsec:remembered/> which was renamed) will only
>> render if principals are not-null, such as when the user is remembered.
>>
>> For web URL rules, the "user" rule allows access if the user is known
>> (principals aren't null).  Whereas "authc" requires them to have actually
>> authenticated this session.
>>
>> Does that make sense?  If not, please ask more questions!
>>
>> Jeremy
>>
>>
>>
>>
>> On Jul 18, 2008, at 12:26 PM, Peter Ledbrook wrote:
>>
>>  Hi,
>>>
>>> I've just been asked this on the Grails mailing list:
>>>
>>>  I am using the jsec plugin, but I dont want my users to have to
>>> authenticate every time - I want if they check the remember me
>>> checkbox to "auto-login" the user next time they come to the site for
>>> say 2 weeks (which is a common way sites around the web do signing in)
>>> - how can I do that with jsecurity?
>>>
>>> What's the preferred way of doing this? Is it possible?
>>>
>>> Thanks,
>>>
>>> Peter
>>>
>>
>>
>

Re: Remember me question

[Peter Ledbrook <pe...@cacoethes.co.uk>]

> I think the confusion here may be that, unless I'm reading the grails-user
> list comments incorrectly, that the Grails plugin enforces that a user must
> be authenticated in order for it to perform a role or permission check.
> This shouldn't be the case if the Grails plugin is to mirror the JSecurity
> framework functionality.

This is correct and derives from a misunderstanding on my part. I've
suggested a change to the plugin that should be fairly simple to
implement with zero impact on existing users. I hope it's simple to
implement anyway :)

Cheers,

Peter

Re: Remember me question

[Les Hazlewood <le...@hazlewood.com>]

I think the confusion here may be that, unless I'm reading the grails-user
list comments incorrectly, that the Grails plugin enforces that a user must
be authenticated in order for it to perform a role or permission check.
This shouldn't be the case if the Grails plugin is to mirror the JSecurity
framework functionality.

On Fri, Jul 18, 2008 at 12:45 PM, Jeremy Haile <jh...@fastmail.fm> wrote:

> Peter,
>
> Remember Me is extremely easy to setup and use with JSecurity.
>
> Just set the rememberMe property true in UsernamePasswordToken when
> authenticating.  Or if you are using a custom token, make sure it implements
> RememberMeAuthenticationToken and returns true for isRememberMe().
>
> The effect will be that when the user revisits your site getPrincipals()
> will return their principals, but isAuthenticated() will return false (since
> they haven't acutally authenticated this session)
>
> The <jsec:user/> tag (not <jsec:remembered/> which was renamed) will only
> render if principals are not-null, such as when the user is remembered.
>
> For web URL rules, the "user" rule allows access if the user is known
> (principals aren't null).  Whereas "authc" requires them to have actually
> authenticated this session.
>
> Does that make sense?  If not, please ask more questions!
>
> Jeremy
>
>
>
>
> On Jul 18, 2008, at 12:26 PM, Peter Ledbrook wrote:
>
>  Hi,
>>
>> I've just been asked this on the Grails mailing list:
>>
>>  I am using the jsec plugin, but I dont want my users to have to
>> authenticate every time - I want if they check the remember me
>> checkbox to "auto-login" the user next time they come to the site for
>> say 2 weeks (which is a common way sites around the web do signing in)
>> - how can I do that with jsecurity?
>>
>> What's the preferred way of doing this? Is it possible?
>>
>> Thanks,
>>
>> Peter
>>
>
>

Re: Remember me question

[Jeremy Haile <jh...@fastmail.fm>]

Peter,

Remember Me is extremely easy to setup and use with JSecurity.

Just set the rememberMe property true in UsernamePasswordToken when  
authenticating.  Or if you are using a custom token, make sure it  
implements RememberMeAuthenticationToken and returns true for  
isRememberMe().

The effect will be that when the user revisits your site  
getPrincipals() will return their principals, but isAuthenticated()  
will return false (since they haven't acutally authenticated this  
session)

The <jsec:user/> tag (not <jsec:remembered/> which was renamed) will  
only render if principals are not-null, such as when the user is  
remembered.

For web URL rules, the "user" rule allows access if the user is known  
(principals aren't null).  Whereas "authc" requires them to have  
actually authenticated this session.

Does that make sense?  If not, please ask more questions!

Jeremy



On Jul 18, 2008, at 12:26 PM, Peter Ledbrook wrote:

> Hi,
>
> I've just been asked this on the Grails mailing list:
>
>  I am using the jsec plugin, but I dont want my users to have to
> authenticate every time - I want if they check the remember me
> checkbox to "auto-login" the user next time they come to the site for
> say 2 weeks (which is a common way sites around the web do signing in)
> - how can I do that with jsecurity?
>
> What's the preferred way of doing this? Is it possible?
>
> Thanks,
>
> Peter