Auth-Flows as a stand alone JAR!
Authentication-Flows is now a stand-alone JAR, AKA 'flows jar' (that the oauth-srv uses. the oauth-client can use it as well...). This flows jar is used by another project from another repo, called 'authentication-flows'.
Currently, the flows jar supports all flows (except change password): forgot password, create account. a mail is sent to the inbox of the user (we assume that the 'username' is the email!), with a link with encrypted data. Endpoints in the flows jar handle these events respectively.
In the next release
- I will support Spring data-structures even better. It will save me some classes, like AuthenticationUser iface, and some logic from the 'JdbcAuthenticationAccountRepositoryImpl'
1.1 issue #17 : loadUserByUsername(): use UsernameNotFoundException if user not found (and never return null). change all callers to adapt. - issue #15 : support common-crypto to work on system like GAE, where files cannot be stored. so if the keystore does not exist, common-crypto checks a flag before it stores a new-created file; in cases of GAE this flag is false.
- issue #7 : read Auth-Policy from DB
- issue #11 : add login-success-handler
- issue #18 : supprt flow: account lock-out after exceeding max login attempts.
support AuthenticationFailure handler (rather than listener) - so upon exceeding # attempts, user is redirected to "account locked" page. listener cannot (and should not) redirect (it has no request/response)
add bean declaration in spring-servlet.xml for handler, with all ctor and props. - support GAE as another data-source. different implementation for the repository.
- support flow : change password #20 . 2 cases: (1) after successful login, when password has expired.
(2) a link "change password" was clicked in the 'hosting' application.