W3C home > Mailing lists > Public > www-jigsaw@w3.org > March to April 1997

Re: Timeout token

From: Anselm Baird_Smith <abaird@www43.inria.fr>
Date: Mon, 3 Mar 1997 08:21:01 +0100 (MET)
Message-Id: <199703030721.IAA26061@www43.inria.fr>
To: karenkay@sholink.com (Karen Cheng)
Cc: www-jigsaw@w3.org
Karen Cheng writes:
 > Hi Anselm,
 > 
 > >  > I'd like to make the jigsaw server request a username and password
 > >  > at initial login for each user, and assign a token if he/she is
 > >  > authorized.  Whenever a page is requested, we check the token to
 > >  > see if the idle time is more than 2 minutes.  If it is, then
 > >  > we request him/her to enter a username and password again.
 > >  > 
 > >  > Is there a way to do this using existing jigsaw authentication classes?
 > > 
 > > No, but that's part of DigestAuth, which is to be implemented some day
 > 
 > I've already written a Token class which stores each user's token and
 > the last access time in an entry in a table.  When a page request
 > is made, I pass the token of the user to a method provided by an
 > instance of this class, which validates the token and returns true if 
 > the token is valid and the idle time is less than 2 minutes; and false
 > otherwise.
 > 
 > My questions are:
 > 
 > 1. Where should I instantiate this Token class so that its table entries
 >    stay persistent the whole time?  

Two possibilities:
- Make your Token class a sub-class of Resource, and use either a
SimpleResourceStore or a jdbmResourceStore to store them. For an
example of this, check the w3c.jigsaw.auth.AuthRealm class (AuthUser
is equiv to Token and AuthRealm to the repository)
- Try to use RMI stuff (I  have heard that pickling into a hastable
  works...)

 > 2. Should I create a subclass of the GenericAuthFilter class and
 >    override the authenticate() method to call my Token class's method?
 >    But I don't need the realm and other things that are in the 
 >    GenericAuthFilter class (all the usernames and passwords are 
 >    stored in a database).  Could you please provide some suggestion of
 >    how I should implement this?

You could subclass AuthFilter (an abstract class), but this one
already knows abour realms. It might be better to sub-class
ResourceFilter straight...

Anselm.
Received on Monday, 3 March 1997 02:21:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 9 April 2012 12:13:26 GMT