Version 17 (modified by 5 years ago) ( diff ) | ,
---|
AccountServer
The AccountServer is a very lightweight apache tomcat application that builds on top of the AccountManager to build a set of web pages allowing internet based account handling.
Remember to set the accountdatabase
env variable if you use this, see AccountManager.
Core functionality
The core of the AccountServer is the {{/Accounts}}} servlet. It has four modes
- GET: if query="me" returns info about current user: returns list with a map with current "name" and "id" if query="all" returns list such maps, one for each known user. It throws error 500 if the user is not logged in.
- POST: this is a login request. Extra data to be send is a NamePassword structure which basically is {'name':XXX, 'password':YYY} json structure. As long as the browser does not start a new session (this depends on the browser but usually this means "staying on the same page") the user stays logged in.
- PUT: this is a register request. Extra data to be send is a NamePasswordEmail structure which basically is {'name':XXX, 'password':YYY, 'email':ZZZ} json structure. The email can be empty. This creates a new account if the name.
- DELETE. this is a reset-password request. This takes just the user name (string) and mails the user a new password. This fails with error 500 if the user does not exist or did not set his email properly.
Webpage files
If you run this on a tomcat server, the startpage is http://localhost:8080/accountserver/
. You get a login prompt
To register, you click on the register button, after which you get this
If you log in with valid name/pass you get this simplistic page, suppostedly to be replaced by your own application.
If you click the 'I forgot my password' you go to this
After clicking 'reset' you will receive a mail that looks like this
This is to inform you that a password reset was requested for user test3. Your new password is: x87vqZgW
Security
The security features of the AccountManager are inherited. But it's important that the server should be set up to require HTTPS. The password is transmitted in plain text to the server (this is the de-facto standard way to do this) and would be in plain sight for every network sniffer if HTTPS were not used.
Technical note
Firefox appears to create a new session every time you go to a different HTML page, but keeps the same session if you go to a JSP page on the same server. So you should stick with JSP if you want firefox to operate nicely.
Attachments (4)
- login.png (80.0 KB ) - added by 5 years ago.
- register.png (88.6 KB ) - added by 5 years ago.
- loggedin.png (82.5 KB ) - added by 5 years ago.
- reset.png (68.2 KB ) - added by 5 years ago.
Download all attachments as: .zip