[Pki-devel] [PATCH] 422 Added login page for TPS UI.

John Magne jmagne at redhat.com
Wed Mar 12 01:27:48 UTC 2014 

What cfu said applies.

As for the window.crypto.logout, yes that won't work in IE.
Might also want to check to see if window.cryto exists before calling it?

Also sounds like to audit log logout as cfu suggested would we not need
some support on the back end? At this point it might be reasonable to pursue
logging out the user from the server side.

Othewise if tested to work this seems nice enough to ACK for now.



----- Original Message -----
> From: "Christina Fu" <cfu at redhat.com>
> To: pki-devel at redhat.com
> Sent: Tuesday, March 11, 2014 10:35:29 AM
> Subject: Re: [Pki-devel] [PATCH] 422 Added login page for TPS UI.
> 
> Hi Endi,
> First of all, thank you for your patience on the irc.
> 
> Here is a summary of my comments/questions:
> * I asked if the login/logout thing can be applied to the other subsystems
> agent interface
> - you said yes. I filed a separate ticket to do later:
> https://fedorahosted.org/pki/ticket/902 - Login & logout link/page for CA,
> KRA, OCSP, TKS
> 
> * I asked whether the logout() event can be signalled into the cs service so
> the event can be audited. You pondered on some idea, but I put a note in the
> new ticket so we can look at later.
> 
> * I asked if window.crypto.logout stuff works for IE as well (we are required
> to support IE, as I understand it)?
> - I did a quick search and it seems like IE does not support it, but you can
> do the following:
> document.execCommand('ClearAuthenticationCache');
> If the research is going to take a long time, then feel free to file a
> separate ticket to take care of it later. Otherwise, please make sure IE is
> supported.
> 
> * I asked where the roles under <role-name>*</role-name> are checked.
> - you explained to me that its checked under ACLInterceptor, where the list
> of roles is obtained using PKIRealm which takes acl.properties in for the
> resource/action acl mapping, and which correctly used the same underlying
> group/user framework that's used by the pre-existing non-rest servlets.
> 
> * I asked why <login-config> does not need <auth-method>xxx</auth-method>
> definition in the web.xml
> - You explained that because you have a fallback authenticator called
> SSLAuthenticatorWithFallback (specified in
> tps-tomcat/shared/conf/Catalina/localhost/tps.xml) which looks into
> auth-method.properties to check for correct authentication method for each
> op.
> 
> Since the first two items are already captured in the new ticket, I think
> only the 3rd item needs to be considered for either immediate addressing or
> filing for a new ticket. It's up to you.
> 
> That's all I have.
> thanks,
> Christina
> 
> On 03/10/2014 03:42 PM, Endi Sukma Dewata wrote:
> 
> 
> The TPS UI has been modified to provide an unprotected front page.
> The main TPS UI has been moved into a protected area. The front
> page provides a login button which when clicked will ask the user
> to authenticate with the client certificate. If the authentication
> is successful, the main page will appear. There is also a logout
> link on the upper right corner of the main page. When clicked it
> will destroy both the client and server sessions.
> 
> Ticket #846
> 
> 
> 
> _______________________________________________
> Pki-devel mailing list Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
> 
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list