Specification Authentication Using System Credentials
Use System Credentials for Web Site Authentication
OOo is able to access resources (web sites, ftp sites, ...) which require authentication. For this, users have to provide username/password combination. This specification is about an enhancement for OOo that makes it possible (currently under some very certain circumstances) to use the system credentials of the currently active OOo user to authenticate for resource access.
|Reference Document||Check||Location (URL)|
|Product Requirement, RFE, Issue ID (required)||[available/not available]||i104767|
|Accessibility Check (required)||See accessibility section for check list|
|Test case specification (required)||[available/not available]||<PLEASE ENTER LOCATION HERE>|
|IDL Specification||[available/not available]||<PLEASE ENTER LOCATION HERE>|
|Software Specification Rules||n/a||n/a|
|Other, e.g. references to related specs, Product Concept Document||<PLEASE ENTER LOCATION HERE>|
|Developer||Kai Sommerfeld||kso at openoffice dot org|
|Quality Assurance||Thorsten Martens||tm at openoffice dot org|
|Documentation||Uwe Fischer||ufi at openoffice dot org|
|User Experience||Kai Sommerfeld||kso at openoffice dot org|
Acronyms and Abbreviations
|Acronym / Abbreviation||Definition|
|NTLM||New Technology LAN Manager|
The "Use System Credentials" feature is only available under certain circumstances:
- Supported Platforms: Windows (2000, XP, Vista, 7)
- Supported Protocols: HTTP, HTTPS (incl. WebDAV Extensions)
- Supported HTTP Authentication Protocols: "NTLM", "Negotiate"
If all of the above requirements are fulfilled while OOo tries to connect to a restricted resource, additional functionality gets available in OOo Password Dialog:
The new checkbox "use system credentials" allows the user to specify that instead of entering a username/password combination the system credentials of the currently logged in OOo user shall be used to authenticate for the restricted resource. If the checkbox is checked the entry fields for username and password are disabled.
The checkbox "remember password" or "remember password until end of session" (according to settings in "Tools/Options/OOo/Security) can be used to specify that the decision to use system credentials for the resource shall be made persistent across OOo restart or only until OOo is quit.
In case the information is stored across OOo restart, the URLs of the respective resources can be managed using the "Stored Web Connection Information" dialog (Tools/Options/OOo/Security/Connections). This includes removal of entries. Please note that the button "change password" is disabled if a "system credentials entry" is selected. There is not username stored with this entry, thus it cannot be changed. To visualize that an entry is a "system credentials entry" the dialog displays an asterisk (*) instead of a username.
Accessibility is the responsibility of the I-Team, beginning with UX, DEV and QA, to ensure that the following requirements are fulfilled:
- Is the feature fully keyboard accessible?
(Ex: "I can go everywhere and use every function using the keyboard only"
- Have I specified visual alternatives for the case that the specified feature includes audio as output?
- Are text alternatives for all icons and graphics available?
- Don't provide important information in colors alone
(Ex: marking important information hard coded in red)
- Does the specified feature respect system settings for font, size, and color for all windows and user interface elements?
- Have I ensured that flash rates do not exceed 2 hertz for blinking text, objects, or other elements? In any case, try to avoid flashing UI elements
- Ensure that assistive technology (AT) (like ZoomText or Orca) is able to read everything.
The configuration schema org.openoffice.Office.Common, group "Passwords" has been extended.
<prop oor:name="AuthenticateUsingSystemCredentials" oor:type="oor:string-list"> <info> <author>KSO</author> <desc>Contains a list of URLs that should be accessed using system credentials of the user.</desc> </info> </prop>
- Interface com.sun.star.task.XUrlContainer : Storage for arbitrary URLs. Possibility to list, add, remove records. Records lifetime can be either 'persistent' or 'runtime'
- Interface com.sun.star.ucb.URLAuthenticationRequest : derived from com.sun.star.ucb.URLAuthenticationRequest; Possbility to specify a URL for the resource an authentication request is made for.
- Interface com.sun.star.ucb.XInteractionSupplyAuthentication2 : derived from com.sun.star.ucb.XInteractionSupplyAuthentication2; Possibility to specify whether the issuer of the corresponding autentication request shall use system credentials for authentication.
Extended Service implementations:
- Service com.sun.star.task.PasswordContainer implementation has been extended to support interface com.sun.star.task.XUrlContainer. The new container can be used to access the persistent (-> confguration item) or runtime (-> memory) entries for the "system credentials" URLs.
- Not actually an issue, but the feature could greatly be enhanced by supporting more platforms and authentication schemes.