You will find here the implementation details how I have implemented http digest and persistent logins for this http based site. You can read about the theory that is the basis for this implementation here. Please note that these are my working notes and does not follow a pedantic sequence.

satya - 5/22/2013 9:34:57 AM

See the research here for various login mechanisms

See the research here for various login mechanisms

covers http digest, and login rememberance ideas.

satya - 5/22/2013 9:35:38 AM

aspire login/session related classes


DefaultSessionSupport1.java

satya - 5/22/2013 9:36:02 AM

in aspire.properties I have the following settings


aspire.sessionSupport.applySessionManagement=no
aspire.applySessionManagement=no
request.aspire.sessionSupport.sessionSupportObject.className=com.ai.servlets.DefaultSessionSupport1

satya - 5/22/2013 9:54:12 AM

and user authorization directives


aspire.authentication.userAuthorization=yes
aspire.authentication.verifyPageAccess=yes

satya - 5/22/2013 12:50:41 PM

BaseServlet behavior on session

  1. There will always be session if the urls are public
  2. there will always be a session if it is a private URL requiring a login and if the login is present
  3. The session will be null if it is a private url but login is not done yet
  4. BaseServlet will return the response if the session is null
  5. The code that returned a null session should appropriately set the response to challenge an auhtorization

satya - 5/22/2013 1:47:03 PM

The password authentication support is implemented in


com.ai.aspire.authentication package

satya - 5/22/2013 1:48:32 PM

DefaultSessionSupport calls the verifypassword

from the current authenticator that is configured, while handling the http details of challenging the browser itself.

satya - 5/22/2013 2:09:05 PM

Aspire constants are defined in


com.ai.aspire.servelets.AspireConstants

satya - 5/25/2013 9:16:12 AM

Key classes this is implemented in


//Packages
com.ai.aspire.authentication
com.ai.aspire.authentication.pls
//pls: Persistent login support

//Authentication method support
IHttpAuthenticationMethod
BaseAuthenticationMethod
DigestAuthenticationMethod
DigestAuthenticationWithPersistentLoginSupport

//Additions to earlier classes
DefaultSessionSupport2 //to delegate http authentication methd
IAuthentication //to support http authentication methd
ServletUtils //minor additions

//Just related classes
BaseServletSupport

satya - 5/25/2013 9:21:05 AM

Test cases


//Previous functionality should be intact
Should be able to access public pages with out prompt
Should be challenged when accessing private pages
Once logged in the private pages should work
After 30 minutes or so I should be logged out

//Persistent login test cases
Should be able to request persistent login
Should be able to unrequest a persistent login
Should be able to remove all persistent logins
Should be able to access private pages after 1 hour, 1 day

satya - 5/28/2013 2:29:21 PM

Changes to Aspire.properties


request.aspire.sessionSupport.sessionSupportObject.className=com.ai.servlets.DefaultSessionSupport3

request.aspire.authentication.httpAuthenticationMethodObject.className=com.ai.aspire.authentication.DigestAuthenticationMethod

request.aspire.authentication.persistentSupportLoginObject.className=com.ai.aspire.authentication.pls.PersistentLoginSupport

satya - 5/28/2013 2:32:14 PM

Key Conditionals


New keys are issued
********************
1. On a good login give a new key
2. Keep userid as part of the key
3. when key is recognized for a session issue a new key
4. Keys expire after 3 months

Challenge is issued
*********************
1. Key or an auth header is not available
2. userid/pw is not valid
3. Key is not valid

satya - 5/28/2013 2:33:00 PM

Expected behavior in the log file


we should see new keys only once per session

satya - 5/31/2013 12:10:54 PM

Changes to aspire for this release work


//*********************************************************
//Release 36
//Name: persistent-login-release
//For release 35 
//Total files that have changed: 23
//*********************************************************
\ai\aspire\AspireReleaseNotes.java
\ai\aspire\authentication\BaseAuthenticationMethod.java
\ai\aspire\authentication\DefaultAuthentication.java
\ai\aspire\authentication\DigestAuthenticationMethod.java
\ai\aspire\authentication\DigestAuthenticationWithPersistentLoginMethod.java
\ai\aspire\authentication\IAuthentication.java
\ai\aspire\authentication\IAuthentication1.java
\ai\aspire\authentication\IHttpAuthenticationMethod.java
\ai\aspire\authentication\IHttpCookieEnabledAuthenticationMethod.java
\ai\aspire\authentication\IPersistentLoginSupport.java
\ai\aspire\authentication\SimpleDBAuthentication.java
\ai\aspire\authentication\pls\PersistentLoginEvaluator.java
\ai\aspire\authentication\pls\PersistentLoginSupport.java
\ai\filters\SingleColumnToStringConverter.java
\ai\parts\RemovePersistentLoginPart.java
\ai\parts\RequestPersistentLoginPart.java
\ai\servlets\AspireConstants.java
\ai\servlets\AspireSession.java
\ai\servlets\AspireSession1.java
\ai\servlets\BaseServlet.java
\ai\servlets\DefaultSessionSupport1.java
\ai\servlets\DefaultSessionSupport2.java
\ai\servletutils\ServletUtils.java

//*********************************************************
// Key files that have changed
//*********************************************************
//Key entry points
\ai\servlets\DefaultSessionSupport1.java
\ai\servlets\DefaultSessionSupport2.java

//Carries all authentication related inforamation
//*********************************************************
\ai\aspire\authentication\IAuthentication.java
\ai\aspire\authentication\IAuthentication1.java
\ai\aspire\authentication\DefaultAuthentication.java
\ai\aspire\authentication\SimpleDBAuthentication.java

//A new concept of authentication method introduced
//*********************************************************
\ai\aspire\authentication\IHttpAuthenticationMethod.java
\ai\aspire\authentication\BaseAuthenticationMethod.java
\ai\aspire\authentication\DigestAuthenticationMethod.java
\ai\aspire\authentication\DigestAuthenticationWithPersistentLoginMethod.java
\ai\aspire\authentication\IHttpCookieEnabledAuthenticationMethod.java

//The above method is supplemented with persistent login support
//*********************************************************
\ai\aspire\authentication\IPersistentLoginSupport.java
\ai\aspire\authentication\pls\PersistentLoginEvaluator.java
\ai\aspire\authentication\pls\PersistentLoginSupport.java
\ai\parts\RemovePersistentLoginPart.java
\ai\parts\RequestPersistentLoginPart.java

//Some miscellaneous changes
//*********************************************************
\ai\filters\SingleColumnToStringConverter.java
\ai\servlets\AspireSession.java
\ai\servlets\AspireSession1.java

satya - 5/31/2013 2:24:33 PM

Here are changes to the akc


//*********************************************************
//Release Name: persistent-login-release
//Uses aspire release 36 
//Total files that have changed: 7
//*********************************************************
\akc-sqlserver\properties\aspire.properties
\akc-sqlserver\properties\user_login.properties
\akc-sqlserver\reports\home\developer-home.html
\akc-sqlserver\reports\users\pls-view.html
\akc-sqlserver\reports\users\pls.properties
\akc-sqlserver\WEB-INF\lib\aspire_jsdk23.jar
\akc-sqlserver\WEB-INF\lib\commons-codec-1.8.jar

satya - 6/4/2013 9:44:40 AM

Enhancing akc with http digest and persistent login over http

This is just rough sketch of the logic. Actually code may differ a good bit. It is posted here as mainly as a reminder not to loose the work and possibly provide a marker on the road should i not have time to redocument.

satya - 6/4/2013 9:53:17 AM

Here is another image that deals with joining session with the user

Again these are early thoughts and not actuals.

satya - 6/4/2013 9:57:12 AM

Here is a bit more detail of the same

satya - 6/4/2013 9:59:48 AM

Here are the final changes to aspire.properties


//*********************************************************
//Release Name: persistent-login-release
//Uses aspire release 36 
//Total files that have changed: 7
//*********************************************************
\akc-sqlserver\properties\aspire.properties
\akc-sqlserver\properties\user_login.properties
\akc-sqlserver\reports\home\developer-home.html
\akc-sqlserver\reports\users\pls-view.html
\akc-sqlserver\reports\users\pls.properties
\akc-sqlserver\WEB-INF\lib\aspire_jsdk23.jar
\akc-sqlserver\WEB-INF\lib\commons-codec-1.8.jar


//*********************************************************
//Changes to aspire.properties
//*********************************************************

#Session and Http Digest configuration
#request.aspire.sessionSupport.sessionSupportObject.className=com.ai.servlets.DefaultSessionSupport1

1) ==> Add the following three lines
request.aspire.sessionSupport.sessionSupportObject.className=com.ai.servlets.DefaultSessionSupport2

request.aspire.authentication.httpAuthenticationMethodObject.className=com.ai.aspire.authentication.DigestAuthenticationWithPersistentLoginMethod

request.aspire.authentication.persistentSupportLoginObject.className=com.ai.aspire.authentication.pls.PersistentLoginSupport


aspire:\\reports\\users\\users.properties,2) ==>Add the following line
aspire:\\reports\\users\\pls.properties,\   
aspire:\\reports\\home\\home.properties,
#add this line
request.Aspire.BooleanFunction.whitespace.classname=com.ai.htmlgen.CommonBEEvaluator
3) 
request.Aspire.BooleanFunction.persistentloginenabled.classname=com.ai.aspire.authentication.pls.PersistentLoginEvaluator