Lollygag Demos — Authentication
Authenticating Users
By default, users are not allowed to access any of the data services exposed by the Lollygag framework unless they are authenticated. If you want to enable anonymous users to access a data service then you must explicitly set the allowAnonymous attribute to the value true.
The Lollygag framework uses HMAC MD5 authentication (an industry standard method) to authenticate users. After a user successfully logs in, the user is provided with an authenticator. The authenticator consists of the user's name and roles hashed with a private server key. Every time the user makes a request to the server in the future, the authenticator is sent with the request. Since the key is private, the user's identity can be verified.
The private server key is stored in the Lollygag.config file located in the root of your application. In order to make your Lollygag application secure, you must generate a new private key and store it in the Lollygag.config file. You can generate a unique key by using the following tool:
Authentication Widgets
The Lollygag framework includes three widgets related to authentication: the loginform widget, the registerform widget, and the loginlink widget. You can use these three widgets to login an existing users, register a new user, and log out an authenticated user.