What cfu said applies.
As for the window.crypto.logout, yes that won't work in IE.
Might also want to check to see if window.cryto exists before calling it?
Also sounds like to audit log logout as cfu suggested would we not need
some support on the back end? At this point it might be reasonable to pursue
logging out the user from the server side.
Othewise if tested to work this seems nice enough to ACK for now.
----- Original Message -----
From: "Christina Fu" <cfu(a)redhat.com>
To: pki-devel(a)redhat.com
Sent: Tuesday, March 11, 2014 10:35:29 AM
Subject: Re: [Pki-devel] [PATCH] 422 Added login page for TPS UI.
Hi Endi,
First of all, thank you for your patience on the irc.
Here is a summary of my comments/questions:
* I asked if the login/logout thing can be applied to the other subsystems
agent interface
- you said yes. I filed a separate ticket to do later:
https://fedorahosted.org/pki/ticket/902 - Login & logout link/page for CA,
KRA, OCSP, TKS
* I asked whether the logout() event can be signalled into the cs service so
the event can be audited. You pondered on some idea, but I put a note in the
new ticket so we can look at later.
* I asked if window.crypto.logout stuff works for IE as well (we are required
to support IE, as I understand it)?
- I did a quick search and it seems like IE does not support it, but you can
do the following:
document.execCommand('ClearAuthenticationCache');
If the research is going to take a long time, then feel free to file a
separate ticket to take care of it later. Otherwise, please make sure IE is
supported.
* I asked where the roles under <role-name>*</role-name> are checked.
- you explained to me that its checked under ACLInterceptor, where the list
of roles is obtained using PKIRealm which takes acl.properties in for the
resource/action acl mapping, and which correctly used the same underlying
group/user framework that's used by the pre-existing non-rest servlets.
* I asked why <login-config> does not need
<auth-method>xxx</auth-method>
definition in the web.xml
- You explained that because you have a fallback authenticator called
SSLAuthenticatorWithFallback (specified in
tps-tomcat/shared/conf/Catalina/localhost/tps.xml) which looks into
auth-method.properties to check for correct authentication method for each
op.
Since the first two items are already captured in the new ticket, I think
only the 3rd item needs to be considered for either immediate addressing or
filing for a new ticket. It's up to you.
That's all I have.
thanks,
Christina
On 03/10/2014 03:42 PM, Endi Sukma Dewata wrote:
The TPS UI has been modified to provide an unprotected front page.
The main TPS UI has been moved into a protected area. The front
page provides a login button which when clicked will ask the user
to authenticate with the client certificate. If the authentication
is successful, the main page will appear. There is also a logout
link on the upper right corner of the main page. When clicked it
will destroy both the client and server sessions.
Ticket #846
_______________________________________________
Pki-devel mailing list Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel