xuse::UC1::Logon

UC1::Logon

Overview

This use-case describes the sequence of events necessary to logon to the system

Document History

Current Version:1.3
1.1: odlingsmee 2006-01-01 Initial Revision
1.2: odlingsmee 2006-05-23 Upgraded to version 0.2
1.2: odlingsmee 2006-08-07 Added new alternate flow for scenario where max attempts has been exceeded.

Properties

Trigger:The actor wishes to access the web application
Goal:For users to gain legitimate access to the system
Primary Actor:User
Secondary Actor:system
Secondary Actor:Administrator
Pre-Requisites:The user shall be previously registered with the system such that appropriate security credentials are held by the system.
Success Outcome:The user will have logged on and be granted access permissions as dictated by the configuration in the system.
Failure Outcome:The user will not have been granted access to the system - a security administrator will have been informed of repeated failures.
Priority:1
Complexity:1
Package:security

Basic Flow

The user navigates to the web [RQ13] logon screen.
The system challenges [RQ3] the user for a username [RQ1] and password [RQ2].

odlingsmee; 2006-01-21

step3:We need to make sure that the website will support SSL encryption [RQ6] such that the user's details are not transmitted in plain text across the web

The user enters their credentials and submits them to the system.
The system validates that the username and password credentials match those stored.
The system loads up the set of privileges appropriate to the user [RQ7].
The system presents the homepage to the user.
The use-case ends

Alternative Flows

Accessing a protected page directly

At step 1 of the Main Flow when The user attempts to access a protected resource but is not logged on or their session has expired

The user navigates directly to a screen within the system website
The system re-directs the user to the logon screen.
The flow of events continues from step 2 of the Main Flow.

Invalid Credentials

At step 4 of the Main Flow when Credentials supplied are not valid

The system determines that the user is still within their permitted logon attempts [RQ5]
The system re-directs the user to the logon screen.
The flow of events continues from step 2 of the Main Flow.

Invalid Credentials - number of attempts exceeded

The system determines that the user has exhausted their permitted logon attempts [RQ5]
The system re-directs the user to an authentication failure screen.
The system alerts the administrator of the failed logon attempts.
The use-case ends

Specific Requirements

[RQ13] Web UI:The user interface shall be a web (HTTP) user interface to ease deployment and accesibility. (proposed)
[RQ3] Authentication:Authentication shall be established based on the correct username and password combination. (proposed)
[RQ1] Username:The system shall identify users via a unique username. (proposed)
[RQ2] Password:The system shall store passwords against each username. (proposed)
[RQ6] SSL Encryption:The system's website should support SSL Encryption to prevent data being sniffed by malicious parties. (proposed)
[RQ7] Authorisation:The system shall store permissions against each user such that their level of access to the system can be controlled. (proposed)
[RQ5] Failed Logons:If a logon attempt is unsuccesful the system shall inform the user, however specfic reasons for the failure shall not be communicated as this information can prove useful for malicious authentication attempts. (proposed)