Menu
▾
▴
[Exist-development] Recording OpenID users in the system collection
|
From: Loren C. <lor...@gm...> - 2010-03-03 17:49:38
|
Hello Wolfgang and Dmitriy,
The implementation of OpenID in eXist is great. I am working on adding the recording of the OpenID users and a general purpose session logger for eXist. I am thinking that these two events should be performed with XQuery scripts. The selection of the scripts should be configurable.
i.e. When an OpenID user is verified, the org.exist.security.openid.SessionAuthentication.java should check to see if a configuration entry org.exist.security.openid.verify_logging_script exists. The entry can be either on the filesystem or in the database. The script should be run as an XQuery and as the admin user.
For our purposes, we would need a script that would add an entry into /system/openid/OpenIDUsers.xml if the user has not already been added to the system. The format of the file would be something like:
<?xml version="1.0" encoding="UTF-8"?>
<OpenIDUsers>
<OpenIDUser>
<id>http://john-q-public.myopenid.com</id>
<CreatedDateTime>2010-02-16T19:20:30.45+00:00</CreatedDateTime>
<attributes>
<attribute>
<name>fullname</name>
<value>John Q. Public</value>
</attribute>
<attribute>
<name>email</name>
<value>joh...@ex...</value>
</attribute>
<attribute>
<name>country</name>
<value>US</value>
</attribute>
<attribute>
<name>language</name>
<value>EN</value>
</attribute>
</attributes>
<groups>
<group>guest</group>
</groups>
</OpenIDUser>
</OpenIDUsers>
There would also be a session log for logging all user (other than guest) accesses to the system. When a user logs in through either OpenID, eXist internal or LDAP, then a configuration entry org.exist.security.session.logger_script would point to a script the would add an entry to a log file similar to:
<?xml version="1.0" encoding="UTF-8"?>
<SessionLogs>
<SessionLogStartDateTime>2010-02-16T01:00:00.45+00:00</SessionLogStartDateTime>
<SessionLogEndDateTime>2010-02-17T01:00:00.00+00:00</SessionLogEndDateTime>
<SessionLog>
<SessionID>00129485</SessionID>
<SessionUser>
<SessionUserType>OpenID</SessionUserType>
<SessionUserID>http://john-q-public.myopenid.com</SessionUserID>
<SessionEvents>
<SessionEvent>
<SessionEventType>login</SessionEventType>
<SessionEventDateTime>2010-02-16T19:20:30.45+00:00</SessionEventDateTime>
<SessionEventMessage>User John Q. Public logged in from myopenid.com</SessionEventMessage>
</SessionEvent>
<SessionEvent>
<SessionEventType>timeout</SessionEventType>
<SessionEventDateTime>2010-02-16T19:21:00.45+00:00</SessionEventDateTime>
<SessionEventMessage>User has been inactive for 15 minutes. Session has timed out.</SessionEventMessage>
</SessionEvent>
</SessionEvents>
</SessionUser>
</SessionLog>
<SessionLog>
<SessionID>00129486</SessionID>
<SessionUser>
<SessionUserType>OpenID</SessionUserType>
<SessionUserID>http://john-q-public.myopenid.com</SessionUserID>
<SessionEvents>
<SessionEvent>
<SessionEventType>login</SessionEventType>
<SessionEventDateTime>2010-02-16T22:20:30.45+00:00</SessionEventDateTime>
<SessionEventMessage>User John Q. Public logged in from myopenid.com</SessionEventMessage>
</SessionEvent>
<SessionEvent>
<SessionEventType>logout</SessionEventType>
<SessionEventDateTime>2010-02-16T23:21:00.45+00:00</SessionEventDateTime>
<SessionEventMessage>User has logged out of the session.</SessionEventMessage>
</SessionEvent>
</SessionEvents>
</SessionUser>
</SessionLog>
</SessionLogs>
The current idea is to have the session logging entries in /system/log/{year}/SessionLog-{year}-{month}.xml, but it would be up to the XQuery script implementation as to where the log entries go (in the database, in the filesystem, on another server, etc.).
These things are necessary for proper security metrics for our site. I just need a little help with a code snippet that I can add to org.exist.security.openid.SessionAuthentication.java to run an XQuery script from a reference as the admin user.
Thank you,
Loren
|
