Specification Authentication Using System Credentials

From Apache OpenOffice Wiki
Jump to: navigation, search

Use System Credentials for Web Site Authentication

Specification Status
Author Kai Sommerfeld
Last Change
Status (Help) Preliminary

Abstract

OOo is able to access resources (web sites, ftp sites, ...) which require authentication. For this, users have to provide username/password combination. This specification is about an enhancement for OOo that makes it possible (currently under some very certain circumstances) to use the system credentials of the currently active OOo user to authenticate for resource access.

References

Reference Document Check Location (URL)
Prerequisites [passed/failed] n/a
Product Requirement, RFE, Issue ID (required) [available/not available] i104767
Accessibility Check (required) See accessibility section for check list
Test case specification (required) [available/not available] <PLEASE ENTER LOCATION HERE>
IDL Specification [available/not available] <PLEASE ENTER LOCATION HERE>
Software Specification Rules n/a n/a
Other, e.g. references to related specs, Product Concept Document <PLEASE ENTER LOCATION HERE>

Contacts

Role Name E-Mail Address
Developer Kai Sommerfeld kso at openoffice dot org
Quality Assurance Thorsten Martens tm at openoffice dot org
Documentation Uwe Fischer ufi at openoffice dot org
User Experience Kai Sommerfeld kso at openoffice dot org

Acronyms and Abbreviations

Acronym / Abbreviation Definition
NTLM New Technology LAN Manager

Detailed Specification

The "Use System Credentials" feature is only available under certain circumstances:

  • Supported Platforms: Windows (2000, XP, Vista, 7)
  • Supported Protocols: HTTP, HTTPS (incl. WebDAV Extensions)
  • Supported HTTP Authentication Protocols: "NTLM", "Negotiate"

If all of the above requirements are fulfilled while OOo tries to connect to a restricted resource, additional functionality gets available in OOo Password Dialog:

Logindlg.png

See external specification for dialog details.

The new checkbox "use system credentials" allows the user to specify that instead of entering a username/password combination the system credentials of the currently logged in OOo user shall be used to authenticate for the restricted resource. If the checkbox is checked the entry fields for username and password are disabled.

The checkbox "remember password" or "remember password until end of session" (according to settings in "Tools/Options/OOo/Security) can be used to specify that the decision to use system credentials for the resource shall be made persistent across OOo restart or only until OOo is quit.

In case the information is stored across OOo restart, the URLs of the respective resources can be managed using the "Stored Web Connection Information" dialog (Tools/Options/OOo/Security/Connections). This includes removal of entries. Please note that the button "change password" is disabled if a "system credentials entry" is selected. There is not username stored with this entry, thus it cannot be changed. To visualize that an entry is a "system credentials entry" the dialog displays an asterisk (*) instead of a username.

Webconns.png

Accessibility

Accessibility is the responsibility of the I-Team, beginning with UX, DEV and QA, to ensure that the following requirements are fulfilled:

  1. Is the feature fully keyboard accessible?
    (Ex: "I can go everywhere and use every function using the keyboard only"

    Yes.
  2. Have I specified visual alternatives for the case that the specified feature includes audio as output?
    n/a
  3. Are text alternatives for all icons and graphics available?
    n/a
  4. Don't provide important information in colors alone
    (Ex: marking important information hard coded in red)

    Okay.
  5. Does the specified feature respect system settings for font, size, and color for all windows and user interface elements?
    Yes.
  6. Have I ensured that flash rates do not exceed 2 hertz for blinking text, objects, or other elements? In any case, try to avoid flashing UI elements
    n/a
  7. Ensure that assistive technology (AT) (like ZoomText or Orca) is able to read everything.
    Yes.

Migration

n/a

Configuration

The configuration schema org.openoffice.Office.Common, group "Passwords" has been extended.

<prop oor:name="AuthenticateUsingSystemCredentials" oor:type="oor:string-list">
    <info>
        <author>KSO</author>
        <desc>Contains a list of URLs that should be accessed using system credentials of the user.</desc>
    </info>
</prop>

UNO API

New Types:

  1. Interface com.sun.star.task.XUrlContainer : Storage for arbitrary URLs. Possibility to list, add, remove records. Records lifetime can be either 'persistent' or 'runtime'
  1. Interface com.sun.star.ucb.URLAuthenticationRequest : derived from com.sun.star.ucb.AuthenticationRequest; Possbility to specify a URL for the resource an authentication request is made for.
  1. Interface com.sun.star.ucb.XInteractionSupplyAuthentication2 : derived from com.sun.star.ucb.XInteractionSupplyAuthentication2; Possibility to specify whether the issuer of the corresponding autentication request shall use system credentials for authentication.

Extended Service implementations:

  1. Service com.sun.star.task.PasswordContainer implementation has been extended to support interface com.sun.star.task.XUrlContainer. The new container can be used to access the persistent (-> confguration item) or runtime (-> memory) entries for the "system credentials" URLs.


File Format

n/a

Open Issues

  1. Not actually an issue, but the feature could greatly be enhanced by supporting more platforms and authentication schemes.
Personal tools