Friday, February 18, 2011

Feature of the week: authentication

With our latest Release 2.0.11 we migrated BibSonomy's authentication to Spring Security. In this post we want to give you some details and background information.

Remember Me

Before the last release you always got a cookie from BibSonomy after a successful login. This cookie contained your (hashed) password and user name and allowed you to stay logged in for one year. This was clearly security-relevant because when you forgot to log out on a shared computer, one could use your BibSonomy account and could even copy that cookie. Then, one could use it for an unlimited time (until you changed your password, actually) or run a password attack to obtain your plain-text password.

This cookie is now optional - you can use BibSonomy without getting this cookie (cf. this post). Furthermore, the cookie is now encrypted and contains a non-modifiable expiration date of one year. This means that password cracking is now much more complicated and the cookie always expires after one year. You can find more information in the Spring Security manual.

On the sign in page you can now decide whether you want this cookie set or not by (de)activating the stay logged in checkbox:

We recommend to not activate the checkbox when you are using a shared computer (e.g., in an internet cafe). Furthermore, you should always log out when you use such computers.

Note that by using the quick-login that you find in the top right corner of BibSonomy's pages (cf. the next screenshot) you always get the remember me cookie set.


Though BibSonomy supports OpenID authentication for quite a while, the underlying implementation was rather buggy. Now, we are building upon Spring Security's implementation which has been tested in many production environments. Furthermore, we simplified the registration process for OpenID. Actually, if you sign in the first time with your OpenID you have to fill out one form and that's it. If your OpenID provider supports attribute exchange according to, some parts of the form are already filled by the user details you gave your OpenID provider.

LDAP & Co.

For the PUMA project (cf. this post) that is based upon BibSonomy technology we are using Spring Security's LDAP implementation to integrate PUMA into the University Library's user management.

For other setups we are now prepared - we can easily integrate X.509 or CAS authentication since Spring Security supports them out of the box. Other mechanisms can be added in a standardized way by implementing the corresponding interfaces.

Popular Posts