= AccountServer The AccountServer is a very lightweight apache tomcat application that builds on top of the [wiki:AccountManager] to build a set of web pages allowing internet based account handling. Remember to set the {{{accountdatabase}}} env variable if you use this, see [wiki:AccountManager]. = Core functionality The core of the AccountServer is the {{/Accounts}}} servlet. It has four modes * GET: if query="me" returns info about current user: returns list with a map with current "name" and "id" if query="all" returns list such maps, one for each known user. It throws error 500 if the user is not logged in. * POST: this is a login request. Extra data to be send is a NamePassword structure which basically is {'name':XXX, 'password':YYY} json structure. As long as the browser does not start a new session (this depends on the browser but usually this means "staying on the same page") the user stays logged in. * PUT: this is a register request. Extra data to be send is a NamePasswordEmail structure which basically is {'name':XXX, 'password':YYY, 'email':ZZZ} json structure. The email can be empty. This creates a new account if the name. * DELETE. this is a reset-password request. This takes just the user name (string) and mails the user a new password. This fails with error 500 if the user does not exist or did not set his email properly. = Webpage files If you run this on a tomcat server, the startpage is {{{http://localhost:8080/accountserver/}}}. You get a login prompt [[Image(https://tracinsy.ewi.tudelft.nl/pubtrac/Utilities/raw-attachment/wiki/AccountServer/login.png)]] To register, you click on the register button, after which you get this [[Image(https://tracinsy.ewi.tudelft.nl/pubtrac/Utilities/raw-attachment/wiki/AccountServer/register.png)]] If you log in with valid name/pass you get this simplistic page, suppostedly to be replaced by your own application. [[Image(https://tracinsy.ewi.tudelft.nl/pubtrac/Utilities/raw-attachment/wiki/AccountServer/loggedin.png)]] If you click the 'I forgot my password' you go to this [[Image(https://tracinsy.ewi.tudelft.nl/pubtrac/Utilities/raw-attachment/wiki/AccountServer/reset.png)]] After clicking 'reset' you will receive a mail that looks like this {{{ This is to inform you that a password reset was requested for user test3. Your new password is: x87vqZgW }}} = Security, Privacy The security features of the [wiki:AccountManager] are inherited. But it's important that the server should be set up to require HTTPS. The password is transmitted in plain text to the server (this is the de-facto standard way to do this) and would be in plain sight for every network sniffer if HTTPS were not used. The password is stored in hashed form, so that even if someone would be able to retrieve the password file, it would still be very hard to recover the plain text password. We use 512 bit hashing to comply with current standards for this. The accountmanager is designed to not need cookies. This facilitates usage where strict cookie laws apply. Also the email address for password recoverage is kept optional, so that it is possible to use the account manager without any reference being stored to the real user. This avoids the need to comply with the many privacy laws that may apply to storing user data. = Technical note Firefox appears to create a new session every time you go to a different HTML page, but keeps the same session if you go to a JSP page on the same server. So you should stick with JSP if you want firefox to operate nicely. = Extending another project with this * You can use these dependencies {{{ javax.servlet javax.servlet-api 3.1.0 provided tudelft.utilities accountserver 1.0.0 classes }}} and the maven overlay in the maven war plugin in your section: {{{ org.apache.maven.plugins maven-war-plugin 3.2.3 ** tudelft.utilities accountserver false }}} * Set the env variable(s) properly * Remember to add the Accounts servlet if you override the web.xml