You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@sling.apache.org by Fabian Christ <ch...@googlemail.com> on 2013/03/21 15:18:54 UTC
User Management docs
Hi,
I was playing with the slingbucks example [1]. I noticed that it
required authentication in order to accept POST request to create new
orders. After logging in via admin:admin at the Sling main page, the
slingbucks order process worked.
My assumption is that the underlying JCR requires authentication
before it allows any write operations, right?
I started to look for documentation on authentication and user
management. I see that there is a user management RESTful API [1] but
can not find more details about it.
The documentation in [2] is on a low technical level but I am missing
some overview how users should be managed for a webapp. Any hints are
welcome.
[1] https://cwiki.apache.org/confluence/display/SLING/FAQ#FAQ-HowdoIchangeJackrabbit%27sadminpassword%3F
[2] http://sling.apache.org/site/authentication.html
--
Fabian
http://twitter.com/fctwitt
Re: User Management docs
Posted by Martin Phee <ma...@gmail.com>.
Actually, I think this may be it. Implementing an AuthenticationHandler.
http://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler.html
On Fri, Mar 22, 2013 at 6:47 AM, Martin Phee <ma...@gmail.com> wrote:
> I looked at this some in the past. There is a security interface you can
> implement to support security outside of Sling.
>
> I believe this is it:
> https://cwiki.apache.org/confluence/display/SLING/Authentication+Initiation#AuthenticationInitiation-NonJCRcentricAuthenticationInfo
>
>
> On Thu, Mar 21, 2013 at 11:07 AM, Fabian Christ <
> christ.fabian@googlemail.com> wrote:
>
>> 2013/3/21 Fabian Christ <ch...@googlemail.com>:
>> > I am missing
>> > some overview how users should be managed for a webapp
>>
>> But I am still missing some information on user management:
>>
>> 1) How do I CRUD users stored inside the JCR
>> 2) How would I manage to CRUD users outside the JCR? (I understand
>> that I have to define the ACL for the users still at JCR level)
>>
>>
>> --
>> Fabian
>> http://twitter.com/fctwitt
>>
>
>
Re: User Management docs
Posted by Martin Phee <ma...@gmail.com>.
I looked at this some in the past. There is a security interface you can
implement to support security outside of Sling.
I believe this is it:
https://cwiki.apache.org/confluence/display/SLING/Authentication+Initiation#AuthenticationInitiation-NonJCRcentricAuthenticationInfo
On Thu, Mar 21, 2013 at 11:07 AM, Fabian Christ <
christ.fabian@googlemail.com> wrote:
> 2013/3/21 Fabian Christ <ch...@googlemail.com>:
> > I am missing
> > some overview how users should be managed for a webapp
>
> But I am still missing some information on user management:
>
> 1) How do I CRUD users stored inside the JCR
> 2) How would I manage to CRUD users outside the JCR? (I understand
> that I have to define the ACL for the users still at JCR level)
>
>
> --
> Fabian
> http://twitter.com/fctwitt
>
Re: User Management docs
Posted by Fabian Christ <ch...@googlemail.com>.
Thanks Eric,
I do not know why but I never looked in the bundles section of the web
page. Maybe I expected just lists of bundles that Sling provides and
not this kind of information under that topic. It is really helpful
and maybe "Bundles" is not the best header for that page.
Best,
- Fabian
2013/3/21 Eric Norman <er...@gmail.com>:
> See:
> http://sling.apache.org/documentation/bundles/managing-users-and-groups-jackrabbit-usermanager.html
>
> That should get you started.
>
> Regards,
> Eric
>
>
> On Thu, Mar 21, 2013 at 9:07 AM, Fabian Christ <christ.fabian@googlemail.com
>> wrote:
>
>> 2013/3/21 Fabian Christ <ch...@googlemail.com>:
>> > I am missing
>> > some overview how users should be managed for a webapp
>>
>> But I am still missing some information on user management:
>>
>> 1) How do I CRUD users stored inside the JCR
>> 2) How would I manage to CRUD users outside the JCR? (I understand
>> that I have to define the ACL for the users still at JCR level)
>>
>>
>> --
>> Fabian
>> http://twitter.com/fctwitt
>>
--
Fabian
http://twitter.com/fctwitt
Re: User Management docs
Posted by Eric Norman <er...@gmail.com>.
See:
http://sling.apache.org/documentation/bundles/managing-users-and-groups-jackrabbit-usermanager.html
That should get you started.
Regards,
Eric
On Thu, Mar 21, 2013 at 9:07 AM, Fabian Christ <christ.fabian@googlemail.com
> wrote:
> 2013/3/21 Fabian Christ <ch...@googlemail.com>:
> > I am missing
> > some overview how users should be managed for a webapp
>
> But I am still missing some information on user management:
>
> 1) How do I CRUD users stored inside the JCR
> 2) How would I manage to CRUD users outside the JCR? (I understand
> that I have to define the ACL for the users still at JCR level)
>
>
> --
> Fabian
> http://twitter.com/fctwitt
>
Re: User Management docs
Posted by Fabian Christ <ch...@googlemail.com>.
2013/3/21 Fabian Christ <ch...@googlemail.com>:
> I am missing
> some overview how users should be managed for a webapp
But I am still missing some information on user management:
1) How do I CRUD users stored inside the JCR
2) How would I manage to CRUD users outside the JCR? (I understand
that I have to define the ACL for the users still at JCR level)
--
Fabian
http://twitter.com/fctwitt
Re: User Management docs
Posted by Fabian Christ <ch...@googlemail.com>.
Hi,
and sorry for talking to myself here, but maybe this helps others, too ;)
On [1] I found the information about the form based JAAS
authentication in Sling. The interesting sentence is: "The j_username
and j_password parameters are used to create a JCR SimpleCredentials
[2] object to log into the JCR Repository." I assume Sling uses [3] to
login on the JCR repository, which returns a session object that is
then managed by Sling.
So, when accessing some resource, Sling will try to retrieve the
resource based on the user credentials from the JCR. That means, to
manage access control one has to control it at JCR level.
[1] http://sling.apache.org/site/form-based-authenticationhandler.html
[2] http://www.day.com/maven/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html
[3] http://www.day.com/maven/javax.jcr/javadocs/jcr-2.0/javax/jcr/Repository.html#login(javax.jcr.Credentials,
java.lang.String)
2013/3/21 Fabian Christ <ch...@googlemail.com>:
> Hi,
>
> I see that most of the AuthenticationHandler [1] is deprecated. I
> think this is the interface to implement when I want to plugin my own
> authentication logic. What is its replacement?
>
> [1] http://sling.apache.org/apidocs/sling6/org/apache/sling/engine/auth/AuthenticationHandler.html
>
> 2013/3/21 Fabian Christ <ch...@googlemail.com>:
>> Hi,
>>
>> I think I have found what I was looking for as an introduction in
>> Jackrabbit [1].
>>
>> [1] http://wiki.apache.org/jackrabbit/AccessControl
>>
>> So from a Sling perspective, I have to login to the JCR using, e.g.
>> org.apache.sling.jcr.api.SlingRepository.login() somewhere in my code
>> with the right user credentials. But Sling also provides JAAS
>> functionality at the /j_security_check endpoint, right?
>>
>>
>> 2013/3/21 Fabian Christ <ch...@googlemail.com>:
>>> Hi,
>>>
>>> I was playing with the slingbucks example [1]. I noticed that it
>>> required authentication in order to accept POST request to create new
>>> orders. After logging in via admin:admin at the Sling main page, the
>>> slingbucks order process worked.
>>>
>>> My assumption is that the underlying JCR requires authentication
>>> before it allows any write operations, right?
>>>
>>> I started to look for documentation on authentication and user
>>> management. I see that there is a user management RESTful API [1] but
>>> can not find more details about it.
>>>
>>> The documentation in [2] is on a low technical level but I am missing
>>> some overview how users should be managed for a webapp. Any hints are
>>> welcome.
>>>
>>> [1] https://cwiki.apache.org/confluence/display/SLING/FAQ#FAQ-HowdoIchangeJackrabbit%27sadminpassword%3F
>>> [2] http://sling.apache.org/site/authentication.html
>>>
>>> --
>>> Fabian
>>> http://twitter.com/fctwitt
>>
>>
>>
>> --
>> Fabian
>> http://twitter.com/fctwitt
>
>
>
> --
> Fabian
> http://twitter.com/fctwitt
--
Fabian
http://twitter.com/fctwitt
Re: User Management docs
Posted by Fabian Christ <ch...@googlemail.com>.
Hi,
I see that most of the AuthenticationHandler [1] is deprecated. I
think this is the interface to implement when I want to plugin my own
authentication logic. What is its replacement?
[1] http://sling.apache.org/apidocs/sling6/org/apache/sling/engine/auth/AuthenticationHandler.html
2013/3/21 Fabian Christ <ch...@googlemail.com>:
> Hi,
>
> I think I have found what I was looking for as an introduction in
> Jackrabbit [1].
>
> [1] http://wiki.apache.org/jackrabbit/AccessControl
>
> So from a Sling perspective, I have to login to the JCR using, e.g.
> org.apache.sling.jcr.api.SlingRepository.login() somewhere in my code
> with the right user credentials. But Sling also provides JAAS
> functionality at the /j_security_check endpoint, right?
>
>
> 2013/3/21 Fabian Christ <ch...@googlemail.com>:
>> Hi,
>>
>> I was playing with the slingbucks example [1]. I noticed that it
>> required authentication in order to accept POST request to create new
>> orders. After logging in via admin:admin at the Sling main page, the
>> slingbucks order process worked.
>>
>> My assumption is that the underlying JCR requires authentication
>> before it allows any write operations, right?
>>
>> I started to look for documentation on authentication and user
>> management. I see that there is a user management RESTful API [1] but
>> can not find more details about it.
>>
>> The documentation in [2] is on a low technical level but I am missing
>> some overview how users should be managed for a webapp. Any hints are
>> welcome.
>>
>> [1] https://cwiki.apache.org/confluence/display/SLING/FAQ#FAQ-HowdoIchangeJackrabbit%27sadminpassword%3F
>> [2] http://sling.apache.org/site/authentication.html
>>
>> --
>> Fabian
>> http://twitter.com/fctwitt
>
>
>
> --
> Fabian
> http://twitter.com/fctwitt
--
Fabian
http://twitter.com/fctwitt
Re: User Management docs
Posted by Fabian Christ <ch...@googlemail.com>.
Hi,
I think I have found what I was looking for as an introduction in
Jackrabbit [1].
[1] http://wiki.apache.org/jackrabbit/AccessControl
So from a Sling perspective, I have to login to the JCR using, e.g.
org.apache.sling.jcr.api.SlingRepository.login() somewhere in my code
with the right user credentials. But Sling also provides JAAS
functionality at the /j_security_check endpoint, right?
2013/3/21 Fabian Christ <ch...@googlemail.com>:
> Hi,
>
> I was playing with the slingbucks example [1]. I noticed that it
> required authentication in order to accept POST request to create new
> orders. After logging in via admin:admin at the Sling main page, the
> slingbucks order process worked.
>
> My assumption is that the underlying JCR requires authentication
> before it allows any write operations, right?
>
> I started to look for documentation on authentication and user
> management. I see that there is a user management RESTful API [1] but
> can not find more details about it.
>
> The documentation in [2] is on a low technical level but I am missing
> some overview how users should be managed for a webapp. Any hints are
> welcome.
>
> [1] https://cwiki.apache.org/confluence/display/SLING/FAQ#FAQ-HowdoIchangeJackrabbit%27sadminpassword%3F
> [2] http://sling.apache.org/site/authentication.html
>
> --
> Fabian
> http://twitter.com/fctwitt
--
Fabian
http://twitter.com/fctwitt