5:42 p.m.
The TPS UI has been modified to provide an unprotected front page.
The main TPS UI has been moved into a protected area. The front
page provides a login button which when clicked will ask the user
to authenticate with the client certificate. If the authentication
is successful, the main page will appear. There is also a logout
link on the upper right corner of the main page. When clicked it
will destroy both the client and server sessions.
Ticket #846
--
Endi S. Dewata
12:35 p.m.
Hi Endi,
First of all, thank you for your patience on the irc.
Here is a summary of my comments/questions:
* I asked if the login/logout thing can be applied to the other
subsystems agent interface
- you said yes. I filed a separate ticket to do later:
https://fedorahosted.org/pki/ticket/902 - Login & logout link/page
for CA, KRA, OCSP, TKS
* I asked whether the logout() event can be signalled into the cs
service so the event can be audited. You pondered on some idea, but I
put a note in the new ticket so we can look at later.
* I asked if window.crypto.logout stuff works for IE as well (we are
required to support IE, as I understand it)?
- I did a quick search and it seems like IE does not support it, but
you can do the following:
document.execCommand('ClearAuthenticationCache');
If the research is going to take a long time, then feel free to file
a separate ticket to take care of it later. Otherwise, please make sure
IE is supported.
* I asked where the roles under <role-name>*</role-name> are checked.
- you explained to me that its checked under ACLInterceptor, where the
list of roles is obtained using PKIRealm which takes acl.properties in
for the resource/action acl mapping, and which correctly used the same
underlying group/user framework that's used by the pre-existing non-rest
servlets.
* I asked why <login-config> does not need
<auth-method>xxx</auth-method> definition in the web.xml
- You explained that because you have a fallback authenticator called
SSLAuthenticatorWithFallback (specified in
tps-tomcat/shared/conf/Catalina/localhost/tps.xml) which looks into
auth-method.properties to check for correct authentication method for
each op.
Since the first two items are already captured in the new ticket, I
think only the 3rd item needs to be considered for either immediate
addressing or filing for a new ticket. It's up to you.
That's all I have.
thanks,
Christina
On 03/10/2014 03:42 PM, Endi Sukma Dewata wrote:
The TPS UI has been modified to provide an unprotected front page.
The main TPS UI has been moved into a protected area. The front
page provides a login button which when clicked will ask the user
to authenticate with the client certificate. If the authentication
is successful, the main page will appear. There is also a logout
link on the upper right corner of the main page. When clicked it
will destroy both the client and server sessions.
Ticket #846
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
8:27 p.m.
What cfu said applies.
As for the window.crypto.logout, yes that won't work in IE.
Might also want to check to see if window.cryto exists before calling it?
Also sounds like to audit log logout as cfu suggested would we not need
some support on the back end? At this point it might be reasonable to pursue
logging out the user from the server side.
Othewise if tested to work this seems nice enough to ACK for now.
----- Original Message -----
From: "Christina Fu" <cfu(a)redhat.com>
To: pki-devel(a)redhat.com
Sent: Tuesday, March 11, 2014 10:35:29 AM
Subject: Re: [Pki-devel] [PATCH] 422 Added login page for TPS UI.
Hi Endi,
First of all, thank you for your patience on the irc.
Here is a summary of my comments/questions:
* I asked if the login/logout thing can be applied to the other subsystems
agent interface
- you said yes. I filed a separate ticket to do later:
https://fedorahosted.org/pki/ticket/902 - Login & logout link/page for CA,
KRA, OCSP, TKS
* I asked whether the logout() event can be signalled into the cs service so
the event can be audited. You pondered on some idea, but I put a note in the
new ticket so we can look at later.
* I asked if window.crypto.logout stuff works for IE as well (we are required
to support IE, as I understand it)?
- I did a quick search and it seems like IE does not support it, but you can
do the following:
document.execCommand('ClearAuthenticationCache');
If the research is going to take a long time, then feel free to file a
separate ticket to take care of it later. Otherwise, please make sure IE is
supported.
* I asked where the roles under <role-name>*</role-name> are checked.
- you explained to me that its checked under ACLInterceptor, where the list
of roles is obtained using PKIRealm which takes acl.properties in for the
resource/action acl mapping, and which correctly used the same underlying
group/user framework that's used by the pre-existing non-rest servlets.
* I asked why <login-config> does not need
<auth-method>xxx</auth-method>
definition in the web.xml
- You explained that because you have a fallback authenticator called
SSLAuthenticatorWithFallback (specified in
tps-tomcat/shared/conf/Catalina/localhost/tps.xml) which looks into
auth-method.properties to check for correct authentication method for each
op.
Since the first two items are already captured in the new ticket, I think
only the 3rd item needs to be considered for either immediate addressing or
filing for a new ticket. It's up to you.
That's all I have.
thanks,
Christina
On 03/10/2014 03:42 PM, Endi Sukma Dewata wrote:
The TPS UI has been modified to provide an unprotected front page.
The main TPS UI has been moved into a protected area. The front
page provides a login button which when clicked will ask the user
to authenticate with the client certificate. If the authentication
is successful, the main page will appear. There is also a logout
link on the upper right corner of the main page. When clicked it
will destroy both the client and server sessions.
Ticket #846
_______________________________________________
Pki-devel mailing list Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
2 p.m.
On 3/11/2014 12:35 PM, Christina Fu wrote:
* I asked if window.crypto.logout stuff works for IE as well (we are
required to support IE, as I understand it)?
- I did a quick search and it seems like IE does not support it, but
you can do the following:
document.execCommand('ClearAuthenticationCache');
If the research is going to take a long time, then feel free to file
a separate ticket to take care of it later. Otherwise, please make sure
IE is supported.
I opened this ticket for IE support because we might need some browser
detection mechanism and proper tests:
https://fedorahosted.org/pki/ticket/903
On 3/11/2014 8:27 PM, John Magne wrote:
What cfu said applies.
As for the window.crypto.logout, yes that won't work in IE. Might
also want to check to see if window.cryto exists before calling it?
I added a code to check window.cryto.
Also sounds like to audit log logout as cfu suggested would we not
need some support on the back end? At this point it might be
reasonable to pursue logging out the user from the server side.
Ideally the client would logout from the server, but sometimes the
client would just close the connection without logging out. I added a
possible way to detect such case in the following ticket:
https://fedorahosted.org/pki/ticket/902
Othewise if tested to work this seems nice enough to ACK for now.
This patch has been tested on Firefox. Pushed to master. Thanks all.
--
Endi S. Dewata
3937
days inactive
3940
days old
3 comments
3 participants
participants (3)
-
Christina Fu -
Endi Sukma Dewata -
John Magne