[TYPO3-50-general] Touchless Security
Andreas Förthner
andreas.foerthner at netlogix.de
Wed Nov 19 17:55:42 CET 2008
Hi,
> So today I tried to understand where the username and password from the
> TYPO3 login is checked. So there should be a voter-class somewhere.
yes there is a voter for the policy configuration. It's called
F3::FLOW3::Security::Authorization::Voter::ACL.
> As far as I understand the login uses this class:
>
> F3::FLOW3::Security::Authentication::Token::UsernamePassword
As Sebastian already told, the correspondig provider is responsible for
authenticating a user over username and passwerd but that's currently a
bit inflexible ;-) The token only holds the authentication state (e.g.
someone is authenticated or not or the current roles)
> And in the FLOW3.yml it's defined that it redirects to typo3/login if
> the Login is not valid.
This is just a temporary solution to make the backend login work. In the
near future we will use authentication entry points for that.
> But currently I could not find a code where the password is checked
> against an existing user. Only admin/password works. So it's also not a
> kind of fake login.
> So it should be defined somewhere in the TYPO3 package.
Hardedcoded in the provider, as already said.
> It seams very touchless ;-)
Of course ;-)
> Furthermore, how is it possible with flow3 to store data in the session
> and retrieve it?
We have a very basic session implementation in FLOW3::Session, but that
is far from beeing final. Hopefully we'll have a session scope soon (see
Karsten's post)
I'm actually once through my thesis about FLOW3 Security. So give me
another week and I'll hopefully be back on the missing issues. Hopefully
we'll have soon a security framework you can actually use ;-) At the
moment there are some important parts missing to use it for your own
package/application.
Greets Andi
More information about the TYPO3-project-5_0-general
mailing list