Version 18 (modified by wouter, 5 years ago) ( diff )

--

AccountServer

The AccountServer is a very lightweight apache tomcat application that builds on top of the AccountManager to build a set of web pages allowing internet based account handling. Remember to set the accountdatabase env variable if you use this, see AccountManager.

Core functionality

The core of the AccountServer is the {{/Accounts}}} servlet. It has four modes

  • GET: if query="me" returns info about current user: returns list with a map with current "name" and "id" if query="all" returns list such maps, one for each known user. It throws error 500 if the user is not logged in.
  • POST: this is a login request. Extra data to be send is a NamePassword structure which basically is {'name':XXX, 'password':YYY} json structure. As long as the browser does not start a new session (this depends on the browser but usually this means "staying on the same page") the user stays logged in.
  • PUT: this is a register request. Extra data to be send is a NamePasswordEmail structure which basically is {'name':XXX, 'password':YYY, 'email':ZZZ} json structure. The email can be empty. This creates a new account if the name.
  • DELETE. this is a reset-password request. This takes just the user name (string) and mails the user a new password. This fails with error 500 if the user does not exist or did not set his email properly.

Webpage files

If you run this on a tomcat server, the startpage is http://localhost:8080/accountserver/. You get a login prompt

https://tracinsy.ewi.tudelft.nl/pubtrac/Utilities/raw-attachment/wiki/AccountServer/login.png

To register, you click on the register button, after which you get this

https://tracinsy.ewi.tudelft.nl/pubtrac/Utilities/raw-attachment/wiki/AccountServer/register.png

If you log in with valid name/pass you get this simplistic page, suppostedly to be replaced by your own application.

https://tracinsy.ewi.tudelft.nl/pubtrac/Utilities/raw-attachment/wiki/AccountServer/loggedin.png

If you click the 'I forgot my password' you go to this

https://tracinsy.ewi.tudelft.nl/pubtrac/Utilities/raw-attachment/wiki/AccountServer/reset.png

After clicking 'reset' you will receive a mail that looks like this 

This is to inform you that a password reset was requested for user test3. 
Your new password is: 
x87vqZgW

Security, Privacy

The security features of the AccountManager are inherited. But it's important that the server should be set up to require HTTPS. The password is transmitted in plain text to the server (this is the de-facto standard way to do this) and would be in plain sight for every network sniffer if HTTPS were not used.

The password is stored in hashed form, so that even if someone would be able to retrieve the password file, it would still be very hard to recover the plain text password. We use 512 bit hashing to comply with current standards for this.

The accountmanager is designed to not need cookies. This facilitates usage where strict cookie laws apply. Also the email address for password recoverage is kept optional, so that it is possible to use the account manager without any reference being stored to the real user. This avoids the need to comply with the many privacy laws that may apply to storing user data.

Technical note

Firefox appears to create a new session every time you go to a different HTML page, but keeps the same session if you go to a JSP page on the same server. So you should stick with JSP if you want firefox to operate nicely.

Attachments (4)

Download all attachments as: .zip

Note: See TracWiki for help on using the wiki.