Hi Endi,
First of all, thank you for your patience on the irc.

Here is a summary of my comments/questions:
* I asked if the login/logout thing can be applied to the other subsystems agent interface
  - you said yes.  I filed a separate ticket to do later:
     https://fedorahosted.org/pki/ticket/902 - Login & logout link/page for CA, KRA, OCSP, TKS

* I asked whether the logout() event can be signalled into the cs service so the event can be audited.  You pondered on some idea, but I put a note in the new ticket so we can look at later.

* I asked if window.crypto.logout stuff works for IE as well (we are required to support IE, as I understand it)?
 - I did a quick search and it seems like IE does not support it, but you can do the following:
  document.execCommand('ClearAuthenticationCache');
   If the research is going to take a long time, then feel free to file a separate ticket to take care of it later.  Otherwise, please make sure IE is supported.

* I asked where the roles under <role-name>*</role-name> are checked.
 - you explained to me that its checked under ACLInterceptor, where the list of roles is obtained using PKIRealm which takes acl.properties in for the resource/action acl mapping, and which correctly used the same underlying group/user framework that's used by the pre-existing non-rest servlets.

* I asked why <login-config> does not need <auth-method>xxx</auth-method> definition in the web.xml
  - You explained that because you have a fallback authenticator called SSLAuthenticatorWithFallback (specified in  tps-tomcat/shared/conf/Catalina/localhost/tps.xml) which looks into auth-method.properties to check for correct authentication method for each op.

Since the first two items are already captured in the new ticket, I think only the 3rd item needs to be considered for either immediate addressing or filing for a new ticket.  It's up to you.

That's all I have.
thanks,
Christina

On 03/10/2014 03:42 PM, Endi Sukma Dewata wrote:
The TPS UI has been modified to provide an unprotected front page.
The main TPS UI has been moved into a protected area. The front
page provides a login button which when clicked will ask the user
to authenticate with the client certificate. If the authentication
is successful, the main page will appear. There is also a logout
link on the upper right corner of the main page. When clicked it
will destroy both the client and server sessions.

Ticket #846 



_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel