You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by my...@apache.org on 2010/10/04 20:06:41 UTC
svn commit: r1004345 -
/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
Author: mykee
Date: Mon Oct 4 18:06:40 2010
New Revision: 1004345
URL: http://svn.apache.org/viewvc?rev=1004345&view=rev
Log:
SLING-1817 switch HTTP Basic Authentication completely off by default
Modified:
sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java?rev=1004345&r1=1004344&r2=1004345&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java Mon Oct 4 18:06:40 2010
@@ -136,7 +136,7 @@ public class SlingAuthenticator implemen
*/
private static final String HTTP_AUTH_PREEMPTIVE = "preemptive";
- @Property(value = HTTP_AUTH_PREEMPTIVE, options = {
+ @Property(value = HTTP_AUTH_DISABLED, options = {
@PropertyOption(name = HTTP_AUTH_ENABLED, value = "Enabled"),
@PropertyOption(name = HTTP_AUTH_PREEMPTIVE, value = "Enabled (Preemptive)"),
@PropertyOption(name = HTTP_AUTH_DISABLED, value = "Disabled") })
Re: svn commit: r1004345 - /sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
Posted by Carsten Ziegeler <cz...@apache.org>.
Mike Müller wrote
> Hi Justin
>
> You're probably right. The topic came up in [1].
> As for the browsers I would dare to say there are
> more problems than advantages with Basic Auth:
> - Some browsers pass credentials even on parent paths
> where credentials should not be sent.
> - Logout is mostly a problem
> If the client is not a browser it surely looks better.
> I don't know how much apps built on sling really use
> Basic Auth but I guess rather few.
> That's why I would change the default behavour and
> disable the Basic Auth.
>
I tend to agree here - I think it's more important to work ootb for
browser than for some client tools :)
But Justin has touched an important topic: we need to update or docs!
Carsten
--
Carsten Ziegeler
cziegeler@apache.org
Re: svn commit: r1004345 - /sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
Posted by Ian Boston <ie...@tfd.co.uk>.
On 5 Oct 2010, at 07:31, Mike Müller wrote:
> Hi Justin
>
> You're probably right. The topic came up in [1].
> As for the browsers I would dare to say there are
> more problems than advantages with Basic Auth:
> - Some browsers pass credentials even on parent paths
> where credentials should not be sent.
> - Logout is mostly a problem
> If the client is not a browser it surely looks better.
> I don't know how much apps built on sling really use
> Basic Auth but I guess rather few.
Our browser apps don't use basic auth, however we have about 100 scripts that do, most of our administrative tools written in perl and ruby do and all of our tutorials do.
However, we build our own standalone server so we can patch to enable basic auth during the build, which we are getting quite used to doing now, the only problem is, the more we time we spend patching Sling and Jackrabbit from its standard build, the less time we have to contribute back to Sling.
So, I would prefer that basic auth was not disabled.
Ian
> That's why I would change the default behavour and
> disable the Basic Auth.
>
> WDYT?
>
> [1] https://issues.apache.org/jira/browse/SLING-1765
>
> best regards
> mike
>
>
>
>
>> -----Original Message-----
>> From: justinedelson@gmail.com [mailto:justinedelson@gmail.com] On
>> Behalf Of Justin Edelson
>> Sent: Tuesday, October 05, 2010 3:33 AM
>> To: dev@sling.apache.org
>> Subject: Re: svn commit: r1004345 -
>> /sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/i
>> mpl/SlingAuthenticator.java
>>
>> I think we should put this change up for a vote. It is a major
>> backwards compatibility issue and basically means that every tutorial
>> everyone has ever written about how to use Sling with curl will no
>> longer work OOTB, e.g.
>> http://sling.apache.org/site/discover-sling-in-15-minutes.html
>>
>> Justin
>>
>> On Mon, Oct 4, 2010 at 2:06 PM, <my...@apache.org> wrote:
>>> Author: mykee
>>> Date: Mon Oct 4 18:06:40 2010
>>> New Revision: 1004345
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1004345&view=rev
>>> Log:
>>> SLING-1817 switch HTTP Basic Authentication completely off by default
>>>
>>> Modified:
>>> sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/cor
>> e/impl/SlingAuthenticator.java
>>>
>>> Modified:
>> sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/i
>> mpl/SlingAuthenticator.java
>>> URL:
>> http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java
>> /org/apache/sling/auth/core/impl/SlingAuthenticator.java?rev=1004345&r1=
>> 1004344&r2=1004345&view=diff
>>>
>> ==========================================================
>> ====================
>>> ---
>> sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/i
>> mpl/SlingAuthenticator.java (original)
>>> +++
>> sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/i
>> mpl/SlingAuthenticator.java Mon Oct 4 18:06:40 2010
>>> @@ -136,7 +136,7 @@ public class SlingAuthenticator implemen
>>> */
>>> private static final String HTTP_AUTH_PREEMPTIVE = "preemptive";
>>>
>>> - @Property(value = HTTP_AUTH_PREEMPTIVE, options = {
>>> + @Property(value = HTTP_AUTH_DISABLED, options = {
>>> @PropertyOption(name = HTTP_AUTH_ENABLED, value = "Enabled"),
>>> @PropertyOption(name = HTTP_AUTH_PREEMPTIVE, value = "Enabled
>> (Preemptive)"),
>>> @PropertyOption(name = HTTP_AUTH_DISABLED, value = "Disabled")
>> })
>>>
>>>
>>>
RE: svn commit: r1004345 -
/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
Posted by Mike Müller <mi...@mysign.ch>.
Hi Justin
You're probably right. The topic came up in [1].
As for the browsers I would dare to say there are
more problems than advantages with Basic Auth:
- Some browsers pass credentials even on parent paths
where credentials should not be sent.
- Logout is mostly a problem
If the client is not a browser it surely looks better.
I don't know how much apps built on sling really use
Basic Auth but I guess rather few.
That's why I would change the default behavour and
disable the Basic Auth.
WDYT?
[1] https://issues.apache.org/jira/browse/SLING-1765
best regards
mike
> -----Original Message-----
> From: justinedelson@gmail.com [mailto:justinedelson@gmail.com] On
> Behalf Of Justin Edelson
> Sent: Tuesday, October 05, 2010 3:33 AM
> To: dev@sling.apache.org
> Subject: Re: svn commit: r1004345 -
> /sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/i
> mpl/SlingAuthenticator.java
>
> I think we should put this change up for a vote. It is a major
> backwards compatibility issue and basically means that every tutorial
> everyone has ever written about how to use Sling with curl will no
> longer work OOTB, e.g.
> http://sling.apache.org/site/discover-sling-in-15-minutes.html
>
> Justin
>
> On Mon, Oct 4, 2010 at 2:06 PM, <my...@apache.org> wrote:
> > Author: mykee
> > Date: Mon Oct 4 18:06:40 2010
> > New Revision: 1004345
> >
> > URL: http://svn.apache.org/viewvc?rev=1004345&view=rev
> > Log:
> > SLING-1817 switch HTTP Basic Authentication completely off by default
> >
> > Modified:
> > sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/cor
> e/impl/SlingAuthenticator.java
> >
> > Modified:
> sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/i
> mpl/SlingAuthenticator.java
> > URL:
> http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java
> /org/apache/sling/auth/core/impl/SlingAuthenticator.java?rev=1004345&r1=
> 1004344&r2=1004345&view=diff
> >
> ==========================================================
> ====================
> > ---
> sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/i
> mpl/SlingAuthenticator.java (original)
> > +++
> sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/i
> mpl/SlingAuthenticator.java Mon Oct 4 18:06:40 2010
> > @@ -136,7 +136,7 @@ public class SlingAuthenticator implemen
> > */
> > private static final String HTTP_AUTH_PREEMPTIVE = "preemptive";
> >
> > - @Property(value = HTTP_AUTH_PREEMPTIVE, options = {
> > + @Property(value = HTTP_AUTH_DISABLED, options = {
> > @PropertyOption(name = HTTP_AUTH_ENABLED, value = "Enabled"),
> > @PropertyOption(name = HTTP_AUTH_PREEMPTIVE, value = "Enabled
> (Preemptive)"),
> > @PropertyOption(name = HTTP_AUTH_DISABLED, value = "Disabled")
> })
> >
> >
> >
Re: svn commit: r1004345 - /sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Tue, Oct 5, 2010 at 3:32 AM, Justin Edelson <ju...@justinedelson.com> wrote:
> I think we should put this change up for a vote. It is a major
> backwards compatibility issue and basically means that every tutorial
> everyone has ever written about how to use Sling with curl will no
> longer work OOTB, e.g.
> http://sling.apache.org/site/discover-sling-in-15-minutes.html
Agreed.
I see some discussion in SLING-1765, but that does not paint a clear
picture of the pros/cons for me, I think we need a discussion before
voting on this.
Mike, can you please revert your changes and start the discussion?
Please indicate what your change means for browsers and non-browsers clients.
-Bertrand
Re: svn commit: r1004345 - /sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
Posted by Justin Edelson <ju...@justinedelson.com>.
I think we should put this change up for a vote. It is a major
backwards compatibility issue and basically means that every tutorial
everyone has ever written about how to use Sling with curl will no
longer work OOTB, e.g.
http://sling.apache.org/site/discover-sling-in-15-minutes.html
Justin
On Mon, Oct 4, 2010 at 2:06 PM, <my...@apache.org> wrote:
> Author: mykee
> Date: Mon Oct 4 18:06:40 2010
> New Revision: 1004345
>
> URL: http://svn.apache.org/viewvc?rev=1004345&view=rev
> Log:
> SLING-1817 switch HTTP Basic Authentication completely off by default
>
> Modified:
> sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
>
> Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
> URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java?rev=1004345&r1=1004344&r2=1004345&view=diff
> ==============================================================================
> --- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java (original)
> +++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java Mon Oct 4 18:06:40 2010
> @@ -136,7 +136,7 @@ public class SlingAuthenticator implemen
> */
> private static final String HTTP_AUTH_PREEMPTIVE = "preemptive";
>
> - @Property(value = HTTP_AUTH_PREEMPTIVE, options = {
> + @Property(value = HTTP_AUTH_DISABLED, options = {
> @PropertyOption(name = HTTP_AUTH_ENABLED, value = "Enabled"),
> @PropertyOption(name = HTTP_AUTH_PREEMPTIVE, value = "Enabled (Preemptive)"),
> @PropertyOption(name = HTTP_AUTH_DISABLED, value = "Disabled") })
>
>
>