...
Excerpt | ||
---|---|---|
| ||
Separating authentication from ResourceResolver access (ammending Add ResourceResolverFactory Service Interface) (DRAFTNOT IMPLEMENTED) |
Status: DRAFT NOT IMPLEMENTED
Created: 14. March 2010
Author: fmeschbe
JIRA: –
References: Merging Sling API and Commons Auth API
Update: – fmeschbe/27. September 2013
Table of Contents | ||
---|---|---|
|
Update
This concept is not being implemented because in the meantime ResourceProviderFactory
services have been introduced which can be flagged as being mandatory and thus validate credentials from authentication handlers. One such implementation is the JCR Resource Provider which does exactly that and internally validates the credentials by create a JCR Session.
Introduction
With the recent introduction of the Commons Auth Bundle and the current approach to break apart the dependency on JCR API from the Commons Auth Bundle we are faced with an issue of how to authenticate an HTTP request user while at the same time not binding the authentication mechanism to any data repository.
...
The JCR based ResourceResolverFactory.getResourceResolver(Map)
knows about the CredentialValidator
implementation and can make use of the Session
object in the map to reuse the existing session.
Complete Steps Authenticating HTTP Requests
Requests are authenticated as follows:
- Client makes HTTP Request
- OSGi HTTP Service selects Sling to handle request and calls
HttpContext.handleSecurity
- Sling's
handleSecurity
method callsSlingAuthenticator.handleSecurity
- SlingAuthenticator extractes
AuthenticationInfo
by callingAuthenticationHandler.extractCredentials
- SlingAuthenticator passes
AuthenticationInfo
toCredentialValidator.validate
- (JCR based) CredentialValidator builds JCR Credentials from
AuthenticationInfo
and callsRepository.login
- CredentialValidator creates new AuthenticationInfo object copying all properties from input (except password) and setting the JCR
Session
as another property and returns - SlingAuthenticator sets new
AuthenticationInfo
as request attribute and sets remaining required request attributes and returns - Sling's
handleSecurity
returns successfully - OSGi HTTP Service passes control to
SlingMainServlet
- SlingMainServlet extracts
AuthenticationInfo
from request attribute and callsResourceResolverFactory.getResourceResolver
with thisAuthenticationInfo
(which actually extendsMap
) - (JCR based) ResourceResolverFactory recognizes the existing JCR Session and creates and returns a ResourceResolver based on this session
- SlingMainServlet continues request processing
- Finally SlingMainServlet closes the ResourceResolver at the end of request processing
Issues
The JCR based CredentialValidator
implementation creates a session, which may or may not be used and closed by users of the Sling Commons Auth AuthenticationSupport
service. A mechanism must be implemented to ensure Sessions placed into the AuthenticationInfo
by CredentialValidator
implementations are not left open and thus needlessly consume system resources.