You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@sling.apache.org by Nicola Cisternino <nc...@cointa.it> on 2020/12/02 15:41:42 UTC

Form Authentication for SPA

Hi all.

I am exploring the Sling Form Based AuthenticationHandler 
<https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java> 
to understand how use it in a SPA login.
Documentation 
<https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html> 
says to use (for Ajax calls) the *j_validate* parameter to just validate 
the credentials.
So the login call would be something like:

curl -v -F 'j_username=admin' -F 'j_password=admin' -F 'j_validate=true' 
http://localhost:8080/j_security_check

My questions are:
1) Is /j_security_check the correct endpoint for javascript login call ?
2) What are the differences using the /system/sling/login endpoint 
(servlet) ?
3) What are the "LoginServlet 
<https://github.com/apache/sling-org-apache-sling-auth-core/blob/master/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java>" 
and "LogoutServlet 
<https://github.com/apache/sling-org-apache-sling-auth-core/blob/master/src/main/java/org/apache/sling/auth/core/impl/LogoutServlet.java>" 
intended for?
4) Can I map the login request with a custom endpoint (for example: 
/ws/login) ?
5) What would be the best way to extend the Form Based 
AuthenticationHandler functionality making it work with a json payload 
that returns the token in the response (and send it in a X-Authorization 
header) ?

Greets.
Nicola.

Re: Form Authentication for SPA

Posted by Robert Munteanu <ro...@apache.org>.

Hi Nicola,

On Wed, 2020-12-02 at 16:41 +0100, Nicola Cisternino wrote:
> Hi all.
> 
> I am exploring the Sling Form Based AuthenticationHandler 
> <
> https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java
> > 
> to understand how use it in a SPA login.
> Documentation 
> <
> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
> > 
> says to use (for Ajax calls) the *j_validate* parameter to just
> validate 
> the credentials.
> So the login call would be something like:
> 
> curl -v -F 'j_username=admin' -F 'j_password=admin' -F
> 'j_validate=true' 
> http://localhost:8080/j_security_check
> 
> My questions are:
> 1) Is /j_security_check the correct endpoint for javascript login
> call ?

Yes.

> 2) What are the differences using the /system/sling/login endpoint 
> (servlet) ?

The /system/sling/{login,logout} paths are entry points for browsers.

> 3) What are the "LoginServlet 
> <  
> https://github.com/apache/sling-org-apache-sling-auth-core/blob/master/src/main/java/org/apache/sling/auth/core/impl/LoginServlet.java
> >" 
> and "LogoutServlet 
> <  
> https://github.com/apache/sling-org-apache-sling-auth-core/blob/master/src/main/java/org/apache/sling/auth/core/impl/LogoutServlet.java
> >" 
> intended for?

See above.

> 4) Can I map the login request with a custom endpoint (for example: 
> /ws/login) ?

You can probably mount the SlingLoginServlet at a different path, but I
think it's simplest to redirect/rewrite from an intermediate HTTP
server, such as Apache HTTPd.

> 5) What would be the best way to extend the Form Based 
> AuthenticationHandler functionality making it work with a json
> payload 
> that returns the token in the response (and send it in a X-
> Authorization 
> header) ?

I am not sure about that, maybe someone else on the list knows. I guess
you can always try and write your own authentication handler, but I
have not tried that yet.

Hope this helps,
Robert