You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Felix Meschberger (JIRA)" <ji...@apache.org> on 2010/01/27 20:39:34 UTC
[jira] Commented: (SLING-1116) FORM Based Authentication
[ https://issues.apache.org/jira/browse/SLING-1116?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12805624#action_12805624 ]
Felix Meschberger commented on SLING-1116:
------------------------------------------
Thanks for the patches. I have been taking a look at it and they basically look fine.
Just a few comments for discussions:
* Except for the concrete cookie handling, both are actually the same. How about merging them and making the
actual handling of the data -- session or cookie -- configurable ?
* Currently the cookie/session data is set in the extractRequestParameterAuthentication method before it is
known whether the credentials are valid or not. I would assume this can be enhanced with the functionality
proposed by SLING-1314. Thus the cookie/session data setting could be delayed until after receiving
the success notification.
* SessionAuth: dropping credentials and requesting credentials invalidates the session. This is probably not
good if the session is used for other things. Maybe it would be better to just remove the credentials attribute
(and only invalidate the session if it becomes empty after removing the credentials) ?
* I have concerns about sending the password back and forth in the cookie handler or keeping the password
in the session -- even though it is hashed, but it looks like it is used as is for authentication and thus is as
susceptible to snooping as would be a plain text transmission. How about implementing a LoginModulePlugin
and special credentials we can use in case we deem the cookie/session info valid. This would probably require
more state to be kept in the authentication handler.
> FORM Based Authentication
> -------------------------
>
> Key: SLING-1116
> URL: https://issues.apache.org/jira/browse/SLING-1116
> Project: Sling
> Issue Type: New Feature
> Components: Extensions
> Reporter: Eric Norman
> Assignee: Felix Meschberger
> Attachments: org.apache.sling.cookieauth.zip, org.apache.sling.sessionauth.zip
>
>
> This is a new bundle that provides an implementation of forms based authentication for sling.
> The login/logout servlets from the org.apache.sling.commons.auth are used.
> The AuthenticationHandler will use http basic auth credentials if they are on the request, otherwise it will use the user/pwd posted from the login form.
> The login form html is generated by a set of scripts
> 1. login.html.esp - full login page (includes login_body.html.esp for the form markup)
> 2. login_body.html.esp - just the login form, which may be useful for drawing the login form for an ajax context
> 3. loginError.html.esp - full login-error page
> 4. loginError_body.html.esp - just the login-error form, for login error in ajax context
> The above scripts are included as bundle-resources @ /libs/sling/servlet/default
> The bundle also has a couple of test scripts to show some examples of usage:
> 1. loginTest.html.esp - shows who is logged in and links to login or logout
> 2. loginTest2.html.esp - shows how a script can check permissions and show a login page if the anonymous user doesn't have permission to see the page,
> Some examples of usage are:
> 1. http://host:port/path/to/node.login.html - show the login page and then goto http://host:port/path/to/node after authenticated
> 2. http://host:port/path/to/node.login.html?s=.edit.html - show the login page and then goto http://host:port/path/to/node.edit.html after authenticated
> 3. http://host:port/system/sling/logout - invalidate the session and switch back to anonymous user
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.