RememberMe authentication
In default login dialog, you can notice that there is "Remember my login" checkbox, which users can use to persist their login on his workstation. Default validity period of RememberMe cookie is 1 day (it is configurable), and so user can be logged for whole day before he needs to reauthenticate again with his credentials.
How does it work?
The user checks the "Remember my login" checkbox on login screen of GateIn Portal, then submits the form.
HTTP request, such as http://localhost:8080/portal/login?initialURI=/portal/classic&username=root&password=gtn&rememberme=true, is sent to server.
Request is processed by the LoginController
servlet. The servlet obtains instance of RemindPasswordTokenService
and saves the user credentials into JCR. It generates and returns special token (key) for later use. Then it creates a cookie called "rememberme" and uses the returned token as value of cookie.
Reauthentication
After some time, the user wants to reauthenticate. It is assumed that his HTTP Session is already expired but his RememberMe cookie is still active.
The user sends the HTTP request to some portal pages (for example, http://localhost:8080/portal/classic).
There is a special HTTP filter named RememberMeFilter
configured in web.xml
, which checks the "rememberme" cookie and then it retrieves credentials of user from RemindPasswordTokenService
. Now the filter redirects request to PortalLoginController and authentication process goes in the same way as for the normal FORM-based authentication.
RemindPasswordTokenService
This is a special service used during the RememberMe authentication workflow. It is configurable in:
For JBoss: $PLATFORM_JBOSS_HOME/standalone/deployments/platform.ear/exo.portal.web.portal.war/WEB-INF/conf/common/remindpwd-configuration.xml
For Tomcat:$PLATFORM_TOMCAT_HOME/webapps/exo.portal.web.portal.war/WEB-INF/conf/common/remindpwd-configuration.xml
See Authentication token configuration for more details.
Another thing is that you can encrypt passwords before storing them into JCR. See Password encryption for more details.