incubator-heraldry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From record...@apache.org
Subject svn commit: r500043 - in /incubator/heraldry/idp/pip/trunk: app/controllers/ app/views/account/ config/ lib/ public/stylesheets/
Date Thu, 25 Jan 2007 23:10:53 GMT
Author: recordond
Date: Thu Jan 25 15:10:52 2007
New Revision: 500043

URL: http://svn.apache.org/viewvc?view=rev&rev=500043
Log:
Implement "SafeSignIn" like on MyOpenID
 - New view for this page
 - Cleanup Server controller and before_filter order
 - Add openid_login_required function, like login_required though redirects to new view
 - In account/login see if there is a session error before looking at flash
 - Config setting to enable/disable this feature

Please test, another commit later to polish a bit more.

Added:
    incubator/heraldry/idp/pip/trunk/app/views/account/login_required.rhtml
    incubator/heraldry/idp/pip/trunk/public/stylesheets/login_required.css
Modified:
    incubator/heraldry/idp/pip/trunk/app/controllers/account_controller.rb
    incubator/heraldry/idp/pip/trunk/app/controllers/server_controller.rb
    incubator/heraldry/idp/pip/trunk/config/settings.example.yml
    incubator/heraldry/idp/pip/trunk/lib/authenticated_system.rb

Modified: incubator/heraldry/idp/pip/trunk/app/controllers/account_controller.rb
URL: http://svn.apache.org/viewvc/incubator/heraldry/idp/pip/trunk/app/controllers/account_controller.rb?view=diff&rev=500043&r1=500042&r2=500043
==============================================================================
--- incubator/heraldry/idp/pip/trunk/app/controllers/account_controller.rb (original)
+++ incubator/heraldry/idp/pip/trunk/app/controllers/account_controller.rb Thu Jan 25 15:10:52
2007
@@ -42,8 +42,8 @@
     [:logout, :resend_confirmation, :activate, :edit, :welcome]
   observer :user_observer
   
-  # Don't use the application layout when displaying the current_user action
-  layout "application", :except => [ :current_user ]
+  # Don't use the application layout when displaying certain actions
+  layout "application", :except => [ :current_user, :login_required ]
   
   # Display the landing page for the app.
   # Also performs YADIS content-type negotiation when a subdomain is used.
@@ -71,6 +71,13 @@
   # password:: User#password
   def login
     get_session_variables_from_authenticated_system
+
+    # Do we have a session error we want to copy over to flash?
+    if session[:error]
+      flash.now[:error] = session[:error] 
+      session[:error] = nil
+    end
+
     return unless request.post?
     attempt_to_login_user
 

Modified: incubator/heraldry/idp/pip/trunk/app/controllers/server_controller.rb
URL: http://svn.apache.org/viewvc/incubator/heraldry/idp/pip/trunk/app/controllers/server_controller.rb?view=diff&rev=500043&r1=500042&r2=500043
==============================================================================
--- incubator/heraldry/idp/pip/trunk/app/controllers/server_controller.rb (original)
+++ incubator/heraldry/idp/pip/trunk/app/controllers/server_controller.rb Thu Jan 25 15:10:52
2007
@@ -38,8 +38,8 @@
   skip_before_filter :ssl_required
   before_filter :check_for_xml, :only => :index
   before_filter :login_required,  :only => [:trust_request, :decision]
-  before_filter :check_for_human, :only => :index
   before_filter :verify_current_user_owns_identity_url, :only => :index
+  before_filter :check_for_human, :only => :index
 
   # The primary point of entry for all outside contact with server controller.
   # Handles three types of requests: one from consumer sites, one from users at a browser,
@@ -260,24 +260,31 @@
   # http://[_user_login_].idp.com/
   def verify_current_user_owns_identity_url
     if !openid_request.is_a?(OpenID::Server::CheckIDRequest) || openid_request.mode == 'checkid_immediate'
||
-       user_owns_identity_url?
+       user_owns_identity_url?       
       return true
     else
-      flash[:error] = "You do not own #{CGI.escapeHTML(params['openid.identity'])}." +
-                    " Please login with an account that owns this url."
-      store_location
-
-      # The reason there is an explicit redirect here, versus calling "login_required"
-      # like in "check_for_human" is that the user may be logged in though not actually
-      # own the identity URL the request is about.
-      redirect_to :controller => 'account', :action => 'login' and return false
+      # Use sessions here since they may not immediatly goto the login page, so it needs
+      # to persist.
+      session[:error] = "You do not own #{CGI.escapeHTML(params['openid.identity'])}." +
+                        " Please login with an account that owns this url."
+
+      # Don't need to "store_location" since this will happen later when calling
+      # "openid_login_required" from "check_for_human"
+
+      # Tell the view that the user is logged in, though as someone else
+      flash[:not_owner] = true
+
+      # Don't need to redirect the user here, since "check_for_human" is called
+      # later in the "before_filter" chain and thus will take care of redirection
+      # for us.
     end
   end
   
   # If the request is coming from a user at a browser, require the user to login.
   def check_for_human
     session[:previous_protocol] = request.protocol
-    login_required if openid_request.is_a?(OpenID::Server::CheckIDRequest) && openid_request.mode
== 'checkid_setup'
+    
+    openid_login_required if openid_request.is_a?(OpenID::Server::CheckIDRequest) &&
openid_request.mode == 'checkid_setup'
   end
 
   def server # :nodoc:

Added: incubator/heraldry/idp/pip/trunk/app/views/account/login_required.rhtml
URL: http://svn.apache.org/viewvc/incubator/heraldry/idp/pip/trunk/app/views/account/login_required.rhtml?view=auto&rev=500043
==============================================================================
--- incubator/heraldry/idp/pip/trunk/app/views/account/login_required.rhtml (added)
+++ incubator/heraldry/idp/pip/trunk/app/views/account/login_required.rhtml Thu Jan 25 15:10:52
2007
@@ -0,0 +1,45 @@
+<% # Licensed to the Apache Software Foundation (ASF) under one
+   # or more contributor license agreements.  See the NOTICE file
+   # distributed with this work for additional information
+   # regarding copyright ownership.  The ASF licenses this file
+   # to you under the Apache License, Version 2.0 (the
+   # "License"); you may not use this file except in compliance
+   # with the License.  You may obtain a copy of the License at
+   # 
+   #   http://www.apache.org/licenses/LICENSE-2.0
+   # 
+   # Unless required by applicable law or agreed to in writing,
+   # software distributed under the License is distributed on an
+   # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+   # KIND, either express or implied.  See the License for the
+   # specific language governing permissions and limitations
+   # under the License. %>
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
+  <head>
+    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
+    <title>Identity Provider &mdash Login Required</title>
+    <%= stylesheet_link_tag "login_required" %>
+  </head>
+  <body>
+	<center>
+	<div>
+		<h1>
+			<%= flash[:not_owner] ? "You Don't Own This Identity" : "You Are Not Logged In" %></h1>
+
+		<p>
+			You must directly visit the <%= APP_CONFIG[:app_name] %> login page which is located
at <b>http://<%= APP_CONFIG[:app_host] %>/account/login</b>.
+		</p>
+
+		<p>
+			To help protect your account from phishing attacks, you are not allowed to login when
being redirected as part of an OpenID request.  We recommend bookmarking the <%= APP_CONFIG[:app_name]
%> login page, and using that bookmark to login at the beginning of your browsing session.
 If you're at a computer without your bookmarks, you can type '<b>http://<%= APP_CONFIG[:app_host]
%>/account/login</b>' into the browser's location bar.
+		</p>
+
+		<p>
+			If you are ever asked for your <%= APP_CONFIG[:app_name] %> password somewhere else,
they may be trying to steal your password!  You should never enter your password anywhere
but the <%= APP_CONFIG[:app_name] %> login page.
+		</p>
+	</div>
+	</center>
+  </body>
+</html>

Modified: incubator/heraldry/idp/pip/trunk/config/settings.example.yml
URL: http://svn.apache.org/viewvc/incubator/heraldry/idp/pip/trunk/config/settings.example.yml?view=diff&rev=500043&r1=500042&r2=500043
==============================================================================
--- incubator/heraldry/idp/pip/trunk/config/settings.example.yml (original)
+++ incubator/heraldry/idp/pip/trunk/config/settings.example.yml Thu Jan 25 15:10:52 2007
@@ -29,3 +29,7 @@
 company_link:     "http://yourcompanylink.com"
 
 ssl_disabled:     true
+
+# Don't allow users to be redirected from an RP directly to the
+# login page itself.  Rather show an intermediary.
+safe_signin:      true

Modified: incubator/heraldry/idp/pip/trunk/lib/authenticated_system.rb
URL: http://svn.apache.org/viewvc/incubator/heraldry/idp/pip/trunk/lib/authenticated_system.rb?view=diff&rev=500043&r1=500042&r2=500043
==============================================================================
--- incubator/heraldry/idp/pip/trunk/lib/authenticated_system.rb (original)
+++ incubator/heraldry/idp/pip/trunk/lib/authenticated_system.rb Thu Jan 25 15:10:52 2007
@@ -90,6 +90,26 @@
     # call overwriteable reaction to unauthorized access
     access_denied and return false
   end
+  
+  # Like login_required, but designed to be used when there is an incoming OpenID
+  # request and thus will redirect to the anti-phishing "you must login" screen
+  def openid_login_required
+      # Unlike "login_required", don't do protected check since this is called
+      # explicitly when needed within controller methods.
+    
+      # check if user is logged in and authorized
+      return true if logged_in? and authorized?(current_user)
+
+      # store current location so that we can 
+      # come back after the user logged in
+      store_location
+
+      if APP_CONFIG[:safe_signin]
+        redirect_to :controller=>"/account", :action =>"login_required" and return
false
+      else
+        redirect_to :controller=>"/account", :action =>"login" and return false
+      end
+  end
 
   # overwrite if you want to have special behavior in case the user is not authorized
   # to access the current operation. 

Added: incubator/heraldry/idp/pip/trunk/public/stylesheets/login_required.css
URL: http://svn.apache.org/viewvc/incubator/heraldry/idp/pip/trunk/public/stylesheets/login_required.css?view=auto&rev=500043
==============================================================================
--- incubator/heraldry/idp/pip/trunk/public/stylesheets/login_required.css (added)
+++ incubator/heraldry/idp/pip/trunk/public/stylesheets/login_required.css Thu Jan 25 15:10:52
2007
@@ -0,0 +1,48 @@
+/* Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+   distributed with this work for additional information
+   regarding copyright ownership.  The ASF licenses this file
+   to you under the Apache License, Version 2.0 (the
+   "License"); you may not use this file except in compliance
+   with the License.  You may obtain a copy of the License at
+   
+     http://www.apache.org/licenses/LICENSE-2.0
+   
+   Unless required by applicable law or agreed to in writing,
+   software distributed under the License is distributed on an
+   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+   KIND, either express or implied.  See the License for the
+   specific language governing permissions and limitations
+   under the License. */
+
+/* CSS Document */
+
+p {
+  padding: 5px;
+}
+
+div {
+  width: 80%;
+  text-align: center;
+  border: 2px dashed;
+  background-color: #ffe;
+  padding: 5px;
+}
+
+span {
+}
+
+body {
+  font: 14px Verdana, Arial, Helvetica, sans-serif;
+  background-color: lightgray;
+}
+
+h1.pagebody {
+  font-weight:normal;
+  font-size: 34px;
+}
+  
+h2.pagebody {
+  font-weight:normal;
+  font-size: 24px;
+}



Mime
View raw message