You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@sling.apache.org by Nicola Cisternino <nc...@cointa.it> on 2020/12/02 15:41:42 UTC
Form Authentication for SPA
Hi all.
I am exploring the Sling Form Based AuthenticationHandler
<https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java>
to understand how use it in a SPA login.
Documentation
<https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html>
says to use (for Ajax calls) the *j_validate* parameter to just validate
the credentials.
So the login call would be something like:
curl -v -F 'j_username=admin' -F 'j_password=admin' -F 'j_validate=true'
http://localhost:8080/j_security_check
My questions are:
1) Is /j_security_check the correct endpoint for javascript login call ?
2) What are the differences using the /system/sling/login endpoint
(servlet) ?
3) What are the "LoginServlet
<https://github.com/apache/sling-org-apache-sling-auth-core/blob/master/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java>"
and "LogoutServlet
<https://github.com/apache/sling-org-apache-sling-auth-core/blob/master/src/main/java/org/apache/sling/auth/core/impl/LogoutServlet.java>"
intended for?
4) Can I map the login request with a custom endpoint (for example:
/ws/login) ?
5) What would be the best way to extend the Form Based
AuthenticationHandler functionality making it work with a json payload
that returns the token in the response (and send it in a X-Authorization
header) ?
Greets.
Nicola.
Re: Form Authentication for SPA
Posted by Robert Munteanu <ro...@apache.org>.
Hi Nicola,
On Wed, 2020-12-02 at 16:41 +0100, Nicola Cisternino wrote:
> Hi all.
>
> I am exploring the Sling Form Based AuthenticationHandler
> <
> https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java
> >
> to understand how use it in a SPA login.
> Documentation
> <
> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
> >
> says to use (for Ajax calls) the *j_validate* parameter to just
> validate
> the credentials.
> So the login call would be something like:
>
> curl -v -F 'j_username=admin' -F 'j_password=admin' -F
> 'j_validate=true'
> http://localhost:8080/j_security_check
>
> My questions are:
> 1) Is /j_security_check the correct endpoint for javascript login
> call ?
Yes.
> 2) What are the differences using the /system/sling/login endpoint
> (servlet) ?
The /system/sling/{login,logout} paths are entry points for browsers.
> 3) What are the "LoginServlet
> <
> https://github.com/apache/sling-org-apache-sling-auth-core/blob/master/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java
> >"
> and "LogoutServlet
> <
> https://github.com/apache/sling-org-apache-sling-auth-core/blob/master/src/main/java/org/apache/sling/auth/core/impl/LogoutServlet.java
> >"
> intended for?
See above.
> 4) Can I map the login request with a custom endpoint (for example:
> /ws/login) ?
You can probably mount the SlingLoginServlet at a different path, but I
think it's simplest to redirect/rewrite from an intermediate HTTP
server, such as Apache HTTPd.
> 5) What would be the best way to extend the Form Based
> AuthenticationHandler functionality making it work with a json
> payload
> that returns the token in the response (and send it in a X-
> Authorization
> header) ?
I am not sure about that, maybe someone else on the list knows. I guess
you can always try and write your own authentication handler, but I
have not tried that yet.
Hope this helps,
Robert