Announcement Announcement Module
Collapse
No announcement yet.
2nd layer of web security Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • 2nd layer of web security

    assuming the following use case scenario:
    1. user has not been authenticated
    2. user tries to open secure page http://foo/bar.html
    3. system displays login form instead (mechanism: username+password entry)
    4. user logs in
    5. system returns user to http://foo/bar.html
    this is the normal course of acegi-enabled website.

    my question is, if after following the above use case (in other words, the user has been authenticated), is there any way that when he/she access http://foo/moresecretbar.html, another "login form" (with another mechanism, such as "Please enter the name of the animal you see in the screen") appear and intercept his/her request?

    refined use case:
    1. user has not been authenticated
    2. user tries to open secure page http://foo/bar.html
    3. system displays login form instead (mechanism: username+password entry)
    4. user logs in
    5. system returns user to http://foo/bar.html
    6. user tries to open secure page http://foo/moresecretbar.html
    7. system displays 2nd layer login form (mechanism: guess animal name)
    8. user answers the question
    9. user proceed

  • #2
    One way of doing it would be to not mark the Authentication object as authenticated until you have passed through the second layer of security. All you need to do is redirect the successful authentication to your second authentication page. After that if it's succesful mark it as authenticated.

    Comment


    • #3
      Originally posted by karldmoore View Post
      One way of doing it would be to not mark the Authentication object as authenticated until you have passed through the second layer of security. All you need to do is redirect the successful authentication to your second authentication page. After that if it's succesful mark it as authenticated.
      Oh, I forget to mention that step 6 forward is optional. He/she will never have to deal with the 2nd layer of authentication unless he/she tries to access super-secure pages.

      Comment


      • #4
        Hmmm let me get back to the drawing board .

        Comment


        • #5
          Originally posted by karldmoore View Post
          Hmmm let me get back to the drawing board .
          after finished with your drawing, please help me

          Comment


          • #6
            I guess you could do this with a ROLE and a filter. You could invent a ROLE which allows the users to access super-secure pages. You only get this upon authenticating to the 2nd layer. You then add a filter which is applied to super secure pages. This does exactly the same job that the existing authentication filter does e.g. check for authentication and if it's not there forward to the logon page. The only difference is you are looking for the ROLE rather than the authentication.

            Comment


            • #7
              Originally posted by karldmoore View Post
              I guess you could do this with a ROLE and a filter. You could invent a ROLE which allows the users to access super-secure pages. You only get this upon authenticating to the 2nd layer. You then add a filter which is applied to super secure pages. This does exactly the same job that the existing authentication filter does e.g. check for authentication and if it's not there forward to the logon page. The only difference is you are looking for the ROLE rather than the authentication.
              which means i can't leverage acegi's "interception feature"?

              Comment


              • #8
                I'm sorry I don't understand the question. All I was suggestion was replicating what the logon process does. Upon first authentication you don't have the super secure role. When you try and access the super secure page you are re-directed to second logon which adds the required role. It's a suggestion.

                Comment


                • #9
                  Originally posted by karldmoore View Post
                  I'm sorry I don't understand the question. All I was suggestion was replicating what the logon process does. Upon first authentication you don't have the super secure role. When you try and access the super secure page you are re-directed to second logon which adds the required role. It's a suggestion.
                  ah, it's clearer for me now :-) i was confused reading your previous post. thanks for you suggestion karldmoore, i'll give it try!

                  Comment


                  • #10
                    Originally posted by wiradikusuma View Post
                    ah, it's clearer for me now :-) i was confused reading your previous post. thanks for you suggestion karldmoore, i'll give it try!
                    Did you get anywhere with this?

                    Comment

                    Working...
                    X