...
- The
SlingAuthenticator
class is managed by theSlingMainServlet
and is used as a backend for the OSGiHttpContext.handleSecurity
method. - The
AuthenticationHandler
interface is a service interface, which may be used to extend authentication protocols. Currently Sling includes two implementations of this interface for the standard HTTP Basic authentication and for OpenID authentication. - To initiate a login one or more servlets or scripts have to be written, which create requests suitable for authentication. For example the
LoginServlet
of theorg.apache.sling.httpauth
bundle uses an HTML form and Ajax requests to setup the HTTP BASIC authentication. - The HTTP Basic authentication handler supports a
sling:authRequestLogin
parameter to have a client request ask for authentication.
This approach currently has two major issues:
- Initiating authentication can only be done by the user requesting the login servlet or script. For example to initiate HTTP Basic authentication using the
org.apache.sling.httpauth
bundle, the user has to actively request the/system/sling/login.html
page. - There is a conceptual break between login initiation (or form rendering) and authentication handling.
- The
sling:authRequestLogin
parameter is only obeyed if HTTP Basic authentication is used and the handler is deemed responsible for the request.
To solve these issues, I suggest we add a new API, which may be used to force the initiation of authentication from servlets or scripts. This new API would be implemented such, that a AuthenticationHandler
is selected based on some path (just like for the actual authentication) and the AuthenticationHandler.requestAuthentication
method is called.
...
This interface is implemented by the SlingAuthenticator
class which is also registered under this service interface. The SlingAuthenticator
implementation in fact already has an implementation of this method, which finds an AuthenticationHandler
for the request and calls its requestAuthentication
method.
Generalize sling:authRequestLogin
The request parameter sling:authRequestLogin
should be generalized and supported by the SlingAuthenticator
: If none of the registered authentication handlers is able to extract credentials this parameter should cause the authenticator to call Authenticator.requestAuthentication
method to initiate a login process.
HTTP Basic Authentication Changes
...