[TYPO3-50-general] Touchless Security

Andreas Förthner andreas.foerthner at netlogix.de
Wed Nov 19 17:55:42 CET 2008


> So today I tried to understand where the username and password from the 
> TYPO3 login is checked. So there should be a voter-class somewhere.

yes there is a voter for the policy configuration. It's called 

> As far as I understand the login uses this class:
> F3::FLOW3::Security::Authentication::Token::UsernamePassword

As Sebastian already told, the correspondig provider is responsible for 
authenticating a user over username and passwerd but that's currently a 
bit inflexible ;-) The token only holds the authentication state (e.g. 
someone is authenticated or not or the current roles)

> And in the FLOW3.yml it's defined that it redirects to typo3/login if 
> the Login is not valid.

This is just a temporary solution to make the backend login work. In the 
near future we will use authentication entry points for that.

> But currently I could not find a code where the password is checked 
> against an existing user. Only admin/password works. So it's also not a 
> kind of fake login.
> So it should be defined somewhere in the TYPO3 package.

Hardedcoded in the provider, as already said.

> It seams very touchless ;-)

Of course ;-)

> Furthermore, how is it possible with flow3 to store data in the session 
> and retrieve it?

We have a very basic session implementation in FLOW3::Session, but that 
is far from beeing final. Hopefully we'll have a session scope soon (see 
Karsten's post)

I'm actually once through my thesis about FLOW3 Security. So give me 
another week and I'll hopefully be back on the missing issues. Hopefully 
we'll have soon a security framework you can actually use ;-) At the 
moment there are some important parts missing to use it for your own 

Greets Andi

More information about the TYPO3-project-5_0-general mailing list