Allowing anonymous access per default?

[Carsten Ziegeler <cz...@apache.org>]

Hi,

currently the sling authenticator disables anonymous requests per default.
I think for convenience we should switch the default to allow anonymous 
requests and rely on the access control of the repository.

If you think of different auth methods like form based authentication,
you need anon access to specific parts anyway. The other solution would 
be to register an auth servlet next to the sling servlet just for these 
kind of things.

WDYT?
Carsten
-- 
Carsten Ziegeler
cziegeler@apache.org

Re: Allowing anonymous access per default?

[Felix Meschberger <fm...@gmail.com>]

+1

Am Freitag, den 22.02.2008, 10:52 +0100 schrieb Peter Svensson:
> I don't know if I am allowed to vote or count :)

Sure, anyone on the list is allowed to vote. Even more: Everyone on the
list is invited to vote, such that we get as broad a range of opions as
possible.

There is only a limited number of votes, where not every vote is counted
equally. One such vote is for a release. In this case all votes are
still welcome for sure, but only votes of the members of the PPMC are
actually counted into the vote outcome.

Regards
Felix

>  But I think that since
> Sling is a generic framework and does not have anything to hide, it would be
> a good idea to make it as easy as possible to 'try it out' for newcomers. As
> long as it is documented how to enable security.
> 
> +1
> 
> Cheers,
> PS
> 
> On Fri, Feb 22, 2008 at 10:48 AM, Carsten Ziegeler <cz...@apache.org>
> wrote:
> 
> > Hi,
> >
> > currently the sling authenticator disables anonymous requests per default.
> > I think for convenience we should switch the default to allow anonymous
> > requests and rely on the access control of the repository.
> >
> > If you think of different auth methods like form based authentication,
> > you need anon access to specific parts anyway. The other solution would
> > be to register an auth servlet next to the sling servlet just for these
> > kind of things.
> >
> > WDYT?
> > Carsten
> > --
> > Carsten Ziegeler
> > cziegeler@apache.org
> >

Re: Allowing anonymous access per default?

[Peter Svensson <ps...@gmail.com>]

I don't know if I am allowed to vote or count :) But I think that since
Sling is a generic framework and does not have anything to hide, it would be
a good idea to make it as easy as possible to 'try it out' for newcomers. As
long as it is documented how to enable security.

+1

Cheers,
PS

On Fri, Feb 22, 2008 at 10:48 AM, Carsten Ziegeler <cz...@apache.org>
wrote:

> Hi,
>
> currently the sling authenticator disables anonymous requests per default.
> I think for convenience we should switch the default to allow anonymous
> requests and rely on the access control of the repository.
>
> If you think of different auth methods like form based authentication,
> you need anon access to specific parts anyway. The other solution would
> be to register an auth servlet next to the sling servlet just for these
> kind of things.
>
> WDYT?
> Carsten
> --
> Carsten Ziegeler
> cziegeler@apache.org
>

Re: Allowing anonymous access per default?

[Tobias Bocanegra <to...@day.com>]

all i'm saying is, that not the fact that the anonymous has no
read/write access to some resource should trigger the 401, but some
configured mechanism that controls which actions on what resources
need an authenticated user.

regards, toby

On 3/2/08, Lars Trieloff <la...@trieloff.net> wrote:
> Hi Tobias,
>
>  401 is unauthorized (not allowed to do something), but anonymous is
>  used when nobody is authenticated (the application does not know who
>  is talking). Without being authenticated, you cannot make any
>  statements about authorization - and this is the problem with sending
>  a 401 as first response.
>
>  And using form-based authentication is by no means a better solution.
>  HTTP has built-in means of authentication and we should use them, so
>  that standard HTTP clients can work with our applications. And this
>  means allowing HTTP Basic or HTTP Digest, using proper challenge-
>  response, so that no preemptive authentication is necessary and so on.
>
>  Using form-based authentication can and should be implemented using a
>  servlet filter that catches 401 responses and renders an HTML form or
>  using a client-side script that uses AJAX for logging in using a
>  styled form and HTTP Basic.
>
>
>
>  On 28.02.2008, at 17:00, Tobias Bocanegra wrote:
>
>  >> If all you send is a 403, the user has no means of logging in.
>  >> Browsers only display the login box if a 401 response has been
>  >> received.
>  > well, 401 is unauthorized - but the anonymous is authorized. thus a
>  > 403 forbidden should be sent, since the user is forbidden to write
>  > content.
>  >
>  > we should avoid using the default basic auth and use form-based auth
>  > instead. this way you can send along your auth cookie and everything
>  > works.
>  >
>  >> If a user is properly logged in and his privileges do not allow to
>  >> access a potion of content, 403 is the right response. But in the
>  >> case
>  >> of the anonymous user that has been logged in by default without ever
>  >> giving the user the possibility to log-on, 401 would be the correct
>  >> response.
>  > i think it's the job of the client to ensure this.
>
>
> You might think so, but in fact, browsers do not send any credentials
>  if they have not been asked for them. And a 401 response is the HTTP
>  way of saying "please tell me who you are", so we should send this
>  response. If your client is a HTTP client programming library you can
>  (in some libraries, not in all) configure it to send preemtive-
>  authentication data, but this is a completely different topic.
>
>  regards,
>
>
>  Lars
>
>
>  --
>  Lars Trieloff
>  lars@trieloff.net
>  http://weblogs.goshaky.com/weblogs/lars
>
>
>


-- 
-----------------------------------------< tobias.bocanegra@day.com >---
Tobias Bocanegra, Day Management AG, Barfuesserplatz 6, CH - 4001 Basel
T +41 61 226 98 98, F +41 61 226 98 97
-----------------------------------------------< http://www.day.com >---

Re: Allowing anonymous access per default?

[Lars Trieloff <la...@trieloff.net>]

Hi Tobias,

401 is unauthorized (not allowed to do something), but anonymous is  
used when nobody is authenticated (the application does not know who  
is talking). Without being authenticated, you cannot make any  
statements about authorization - and this is the problem with sending  
a 401 as first response.

And using form-based authentication is by no means a better solution.  
HTTP has built-in means of authentication and we should use them, so  
that standard HTTP clients can work with our applications. And this  
means allowing HTTP Basic or HTTP Digest, using proper challenge- 
response, so that no preemptive authentication is necessary and so on.

Using form-based authentication can and should be implemented using a  
servlet filter that catches 401 responses and renders an HTML form or  
using a client-side script that uses AJAX for logging in using a  
styled form and HTTP Basic.


On 28.02.2008, at 17:00, Tobias Bocanegra wrote:

>> If all you send is a 403, the user has no means of logging in.
>> Browsers only display the login box if a 401 response has been  
>> received.
> well, 401 is unauthorized - but the anonymous is authorized. thus a
> 403 forbidden should be sent, since the user is forbidden to write
> content.
>
> we should avoid using the default basic auth and use form-based auth
> instead. this way you can send along your auth cookie and everything
> works.
>
>> If a user is properly logged in and his privileges do not allow to
>> access a potion of content, 403 is the right response. But in the  
>> case
>> of the anonymous user that has been logged in by default without ever
>> giving the user the possibility to log-on, 401 would be the correct
>> response.
> i think it's the job of the client to ensure this.

You might think so, but in fact, browsers do not send any credentials  
if they have not been asked for them. And a 401 response is the HTTP  
way of saying "please tell me who you are", so we should send this  
response. If your client is a HTTP client programming library you can  
(in some libraries, not in all) configure it to send preemtive- 
authentication data, but this is a completely different topic.

regards,

Lars

--
Lars Trieloff
lars@trieloff.net
http://weblogs.goshaky.com/weblogs/lars

Re: Allowing anonymous access per default?

[Tobias Bocanegra <to...@day.com>]

> If all you send is a 403, the user has no means of logging in.
>  Browsers only display the login box if a 401 response has been received.
well, 401 is unauthorized - but the anonymous is authorized. thus a
403 forbidden should be sent, since the user is forbidden to write
content.

we should avoid using the default basic auth and use form-based auth
instead. this way you can send along your auth cookie and everything
works.

>  If a user is properly logged in and his privileges do not allow to
>  access a potion of content, 403 is the right response. But in the case
>  of the anonymous user that has been logged in by default without ever
>  giving the user the possibility to log-on, 401 would be the correct
>  response.
i think it's the job of the client to ensure this.


-- 
-----------------------------------------< tobias.bocanegra@day.com >---
Tobias Bocanegra, Day Management AG, Barfuesserplatz 6, CH - 4001 Basel
T +41 61 226 98 98, F +41 61 226 98 97
-----------------------------------------------< http://www.day.com >---

Re: Allowing anonymous access per default?

[Lars Trieloff <la...@trieloff.net>]

The box is unchecked by default and checking it enabled anonymous  
access. I will file a bug later, as I found a workaround: change the  
anonymous user to admin/admin.

Lars

On 28.02.2008, at 14:56, Felix Meschberger wrote:

> Yes, go to the Sling Console Configuration Page and select
> "Authentication Filter" (yes, this is currently inappropriately named)
> configuration and check the box (if not already checked).

--
Lars Trieloff
lars@trieloff.net
http://weblogs.goshaky.com/weblogs/lars

Re: Allowing anonymous access per default?

[Felix Meschberger <fm...@gmail.com>]

Hi,

Am Donnerstag, den 28.02.2008, 14:52 +0100 schrieb Lars Trieloff:
> If all you send is a 403, the user has no means of logging in.  
> Browsers only display the login box if a 401 response has been received.
> 
> If a user is properly logged in and his privileges do not allow to  
> access a potion of content, 403 is the right response. But in the case  
> of the anonymous user that has been logged in by default without ever  
> giving the user the possibility to log-on, 401 would be the correct  
> response.

Sounds good. But this should be done by the authentication handler of
sling, which is called in case a AccessControlException is thrown.

> 
> regards,
> 
> Lars
> 
> P.S. is there a way to override the automatic login of anonymous per  
> configuration?

Yes, go to the Sling Console Configuration Page and select
"Authentication Filter" (yes, this is currently inappropriately named)
configuration and check the box (if not already checked).

Regards
Felix

> 
> On 28.02.2008, at 14:44, David Nuescheler wrote:
> 
> > hi all,
> >
> > here my +1 for anonymous access by default.
> >
> > also prompting the user with a 401 for something that he does not
> > have read access for is not an option, since in jcr if you are able  
> > to read
> > content there is no way to tell that something exists.
> >
> >>> But still, the desired behavior is to ask the user for  
> >>> authentication if
> >>> he is not authenticated and write permission is denied.
> >> Your problem has nothing to do with the fact that we allow anonymous
> >> access per default now.
> >> Before that you could login as anonymous and would face the same  
> >> problems.
> >> This is rather a problem of the post servlet and the permission  
> >> checking
> >> there. Could you please open an issue?
> >
> > i agree with carstens assessment.
> >
> > i don't think though that the desired respeonse code for a  
> > permission denied on
> > the repository level is a 401 even for "anonymous", but i think it  
> > should
> > be a 403 error code instead. thoughts?
> >
> > regards,
> > david
> 
> --
> Lars Trieloff
> lars@trieloff.net
> http://weblogs.goshaky.com/weblogs/lars
> 

Re: Allowing anonymous access per default?

[Lars Trieloff <la...@trieloff.net>]

If all you send is a 403, the user has no means of logging in.  
Browsers only display the login box if a 401 response has been received.

If a user is properly logged in and his privileges do not allow to  
access a potion of content, 403 is the right response. But in the case  
of the anonymous user that has been logged in by default without ever  
giving the user the possibility to log-on, 401 would be the correct  
response.

regards,

Lars

P.S. is there a way to override the automatic login of anonymous per  
configuration?

On 28.02.2008, at 14:44, David Nuescheler wrote:

> hi all,
>
> here my +1 for anonymous access by default.
>
> also prompting the user with a 401 for something that he does not
> have read access for is not an option, since in jcr if you are able  
> to read
> content there is no way to tell that something exists.
>
>>> But still, the desired behavior is to ask the user for  
>>> authentication if
>>> he is not authenticated and write permission is denied.
>> Your problem has nothing to do with the fact that we allow anonymous
>> access per default now.
>> Before that you could login as anonymous and would face the same  
>> problems.
>> This is rather a problem of the post servlet and the permission  
>> checking
>> there. Could you please open an issue?
>
> i agree with carstens assessment.
>
> i don't think though that the desired respeonse code for a  
> permission denied on
> the repository level is a 401 even for "anonymous", but i think it  
> should
> be a 403 error code instead. thoughts?
>
> regards,
> david

--
Lars Trieloff
lars@trieloff.net
http://weblogs.goshaky.com/weblogs/lars

Re: Allowing anonymous access per default?

[David Nuescheler <da...@day.com>]

hi all,

here my +1 for anonymous access by default.

also prompting the user with a 401 for something that he does not
have read access for is not an option, since in jcr if you are able to read
content there is no way to tell that something exists.

>  > But still, the desired behavior is to ask the user for authentication if
>  > he is not authenticated and write permission is denied.
> Your problem has nothing to do with the fact that we allow anonymous
>  access per default now.
>  Before that you could login as anonymous and would face the same problems.
>  This is rather a problem of the post servlet and the permission checking
>  there. Could you please open an issue?

i agree with carstens assessment.

i don't think though that the desired respeonse code for a permission denied on
the repository level is a 401 even for "anonymous", but i think it should
be a 403 error code instead. thoughts?

regards,
david

Re: Allowing anonymous access per default?

[Lars Trieloff <la...@trieloff.net>]

I will open an issue.

Can you tell me how I set the auth.annonymous parameter that has been  
defined in SlingAuthenticator?

This can fix my issue in the meantime?

thank you,

Lars

On 28.02.2008, at 14:34, Carsten Ziegeler wrote:

> Lars Trieloff wrote:
>> Hi,
>> this behavior as currently implemented breaks microjax in web  
>> browsers. If you are posting to an URI in order to change  
>> properties, the current implementation returns with an error 500,  
>> because anonymous is not allowed to change properties. The correct  
>> error message would be 401 (forbidden).
>> But still, the desired behavior is to ask the user for  
>> authentication if he is not authenticated and write permission is  
>> denied.
> Your problem has nothing to do with the fact that we allow anonymous  
> access per default now.
> Before that you could login as anonymous and would face the same  
> problems.
>
> This is rather a problem of the post servlet and the permission  
> checking there. Could you please open an issue?
>
> Thanks
> Carsten
>
>
> -- 
> Carsten Ziegeler
> cziegeler@apache.org

--
Lars Trieloff
lars@trieloff.net
http://weblogs.goshaky.com/weblogs/lars

Re: Allowing anonymous access per default?

[Felix Meschberger <fm...@gmail.com>]

Hi,

Am Donnerstag, den 28.02.2008, 14:34 +0100 schrieb Carsten Ziegeler:
> Lars Trieloff wrote:
> > Hi,
> > 
> > this behavior as currently implemented breaks microjax in web browsers. 
> > If you are posting to an URI in order to change properties, the current 
> > implementation returns with an error 500, because anonymous is not 
> > allowed to change properties. The correct error message would be 401 
> > (forbidden).
> > 
> > But still, the desired behavior is to ask the user for authentication if 
> > he is not authenticated and write permission is denied.
> > 
> Your problem has nothing to do with the fact that we allow anonymous 
> access per default now.
> Before that you could login as anonymous and would face the same problems.
> 
> This is rather a problem of the post servlet and the permission checking 
> there. Could you please open an issue?

This is correct because the UjaxPostServlet catches "Exception" and thus
also grocks the AccessControlException preventing Sling from sending
back the correct 401 response.

Regards
Felix

Re: Allowing anonymous access per default?

[Carsten Ziegeler <cz...@apache.org>]

Lars Trieloff wrote:
> Hi,
> 
> this behavior as currently implemented breaks microjax in web browsers. 
> If you are posting to an URI in order to change properties, the current 
> implementation returns with an error 500, because anonymous is not 
> allowed to change properties. The correct error message would be 401 
> (forbidden).
> 
> But still, the desired behavior is to ask the user for authentication if 
> he is not authenticated and write permission is denied.
> 
Your problem has nothing to do with the fact that we allow anonymous 
access per default now.
Before that you could login as anonymous and would face the same problems.

This is rather a problem of the post servlet and the permission checking 
there. Could you please open an issue?

Thanks
Carsten


-- 
Carsten Ziegeler
cziegeler@apache.org

Re: Allowing anonymous access per default?

[Lars Trieloff <la...@trieloff.net>]

Hi,

this behavior as currently implemented breaks microjax in web  
browsers. If you are posting to an URI in order to change properties,  
the current implementation returns with an error 500, because  
anonymous is not allowed to change properties. The correct error  
message would be 401 (forbidden).

But still, the desired behavior is to ask the user for authentication  
if he is not authenticated and write permission is denied.

regards,

Lars


On 22.02.2008, at 10:48, Carsten Ziegeler wrote:

> Hi,
>
> currently the sling authenticator disables anonymous requests per  
> default.
> I think for convenience we should switch the default to allow  
> anonymous requests and rely on the access control of the repository.
>
> If you think of different auth methods like form based authentication,
> you need anon access to specific parts anyway. The other solution  
> would be to register an auth servlet next to the sling servlet just  
> for these kind of things.
>
> WDYT?
> Carsten
> -- 
> Carsten Ziegeler
> cziegeler@apache.org

--
Lars Trieloff
lars@trieloff.net
http://weblogs.goshaky.com/weblogs/lars

Re: Allowing anonymous access per default?

[Bertrand Delacretaz <bd...@apache.org>]

On Fri, Feb 22, 2008 at 10:48 AM, Carsten Ziegeler <cz...@apache.org> wrote:

> ...we should switch the default to allow anonymous
>  requests and rely on the access control of the repository....

+1

-Bertrand