Happy !
Home

TorstenBergmann / UserManagement

Project infos

License MIT
Tags
Creation date 2014-04-18
Website

Monticello registration

About UserManagement

UserManagement Project

This project includes the implementation of a simple user management that is used to maintain access to an application. You can use it as a template for own experiments.

General Project infos

Project location

The project is located on http://smalltalkhub.com/#!/~TorstenBergmann/UserManagement

Installation

To install the code in Pharo just evaluate:

Gofer new
    url: 'http://smalltalkhub.com/mc/TorstenBergmann/UserManagement/main';
    package: 'ConfigurationOfUserManagement';
    load.
((Smalltalk at: #ConfigurationOfUserManagement) project stableVersion) load.

License

The code is MIT licensed.

Architecture

To get access to the usermanagement just have a look into category UserManagement-Core-Model within package UserManagement-Core.

UserManagement

There you will find a class UMUserManagement.

User Management

To get access to the default user management right from a workspace just inspect the following expression:

Central part of a user management is a User identified by a user name which is also used as a login name. A user can login to the system.

Login use case

User

A user is represented in the class UMUser.

A user

Typically a user belongs to a specific user group, maybe he is a guest on the system or an administrator.

User Group

A user belongs to a group like 'Administrators' or 'Guests'. User groups are implemented in class UMUserGroup

Role

A user can have one or more roles. For instance a user 'admin' can have an 'Administrator' role. Roles are implemented in class UMRole.

Access Control Object

Any secured subject requires access control - this control is wrapped in an own class UMAccessObject

So the right to access has to be granted (usually as access control objects (ACOS) within an access control list (ACL) within a role).

Security

Secure password

As we have to deal with credentials for authentication and a password should stay as secure as possible all the passwords are hashed with a salt.

To convert a clear password into a secured one you should use:

UMUserManagement default securePassword: 'mysecurePassword'

which would return a hashed string ('A7BA1B952FACBF55EA06E9C84A026579835809A0' in this case)

Never store the clean password in the instances, always the hash (see instance variable securedPassword in class UMUser)

Security Advice:

If you want to use UserManagement as a template for own applications you should change the method UMUserManagement(class)>>defaultSalt to return an own predefined salt.

If you write a web application consider using HTTPS transfer protocol in deployment scenarios instead of HTTP communication. If not passwords will be sent in clear form over the wire and communication can be intercepted by a third party.