353702 – Redesign the authentication facility to not use eval on 401

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 353702 - Redesign the authentication facility to not use eval on 401

Summary: Redesign the authentication facility to not use eval on 401

Status:	RESOLVED FIXED

Alias:	None

Product:	Orion
Classification:	ECD
Component:	Client (show other bugs)
Version:	0.2
Hardware:	PC Windows XP

Importance:	P3 normal (vote)
Target Milestone:	0.3 M2
Assignee:	Szymon Brandys
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:	354974 355070 355193
Blocks:	354975 355037 355064
	Show dependency tree

Reported:	2011-08-03 03:52 EDT by Szymon Brandys
Modified:	2011-08-22 06:54 EDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Szymon Brandys

2011-08-03 03:52:33 EDT

We should not use eval as we do now when 401 happens. The new approach is that on 401 Orion opens a dialog with an IFrame or a separate window which hosts the login UI.

Comment 1 Szymon Brandys

2011-08-03 11:52:51 EDT

The work is in bug353702 branch.

- new login dialog is created (LoginWindow.html)
- eval() in auth.js is removed and now we open the UI in a popup window
- moreover on 401 we don't send any js code now

To do:
- we need somehow to populate the user section in the header. The plan is to have a new UserPlugin that provides links for signIn, signOut and User UI. We will open the first two in popup windows. I'll try to use postMessage to notify the main window whether sign in/out was successful or not. If it does not work we will just use redirect.
- 401 should return the location of SignIn UI, at this point it is hardcoded in auth.js.

Comment 2 Malgorzata Janczarska

2011-08-05 13:06:57 EDT

to out branch I've committed a proof of concept for this point:
>- we need somehow to populate the user section in the header. The plan is to have a new UserPlugin that provides links for signIn, signOut and User UI. We will open the first two in popup windows. I'll try to use postMessage to notify the main window whether sign in/out was successful or not. If it does not work we will just use redirect.
I would like to see how you like it. This is how it works:
1. Any plugin may add a property "auth" containing a link to another plugin that provides authentication
2. authentication plugin is provided by the server
3. authentication plugin provides 3 methods
	* getUser - returns information about the user that is logged it
	* getAuthForm - returns a link to authentication form that is opened in popup
	* logout - loggs out
Current implementation displays information about the first existing authentication plugin. But if we design a proper UI to display more than one SignIn/SignOut we can use more that one authentication plugin.

Comment 3 Szymon Brandys

2011-08-17 11:33:15 EDT

We can authenticate to multiple services now, so the UI for sign in/ sign out/user profile (in the top right corner) needs to be updated. We need something smarter that shows all services that we are logged in and allows to go to appropriate user profile pages. I talked to Gosia about it today and she started looking at it.

Gosia, please open a separate bug for it, if we don't have one yet.

Comment 4 Szymon Brandys

2011-08-22 06:54:27 EDT

branch bug353702 merged to master. Marking this bug fixed.