...
The JCR based ResourceResolverFactory.getResourceResolver(Map)
knows about the CredentialValidator
implementation and can make use of the Session
object in the map to reuse the existing session.
Complete Steps I: Authenticating HTTP Requests
Requests are authenticated as follows:
- Client makes HTTP Request
- OSGi HTTP Service selects Sling to handle request and calls
HttpContext.handleSecurity
- Sling's
handleSecurity
method callsSlingAuthenticator.handleSecurity
- SlingAuthenticator extractes
AuthenticationInfo
by callingAuthenticationHandler.extractCredentials
- SlingAuthenticator passes
AuthenticationInfo
toCredentialValidator.validate
- (JCR based) CredentialValidator builds JCR Credentials from
AuthenticationInfo
and callsRepository.login
- CredentialValidator creates new AuthenticationInfo object copying all properties from input (except password) and setting the JCR
Session
as another property and returns - SlingAuthenticator sets new
AuthenticationInfo
as request attribute and sets remaining required request attributes and returns - Sling's
handleSecurity
returns successfully - OSGi HTTP Service passes control to
SlingMainServlet
- SlingMainServlet extracts
AuthenticationInfo
from request attribute and callsResourceResolverFactory.getResourceResolver
with thisAuthenticationInfo
(which actually extendsMap
) - (JCR based) ResourceResolverFactory recognizes the existing JCR Session and creates and returns a ResourceResolver based on this session
- SlingMainServlet continues request processing
- Finally SlingMainServlet closes the ResourceResolver at the end of request processing
Issues
The JCR based CredentialValidator
implementation creates a session, which may or may not be used and closed by users of the Sling Commons Auth AuthenticationSupport
service. A mechanism must be implemented to ensure Sessions placed into the AuthenticationInfo
by CredentialValidator
implementations are not left open and thus needlessly consume system resources.