You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Alexander Klimetschek (JIRA)" <ji...@apache.org> on 2009/09/18 13:09:17 UTC

[jira] Commented: (SLING-1116) FORM Based Authentication

    [ https://issues.apache.org/jira/browse/SLING-1116?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12757111#action_12757111 ] 

Alexander Klimetschek commented on SLING-1116:
----------------------------------------------

I'd rather name it session-based authentication, because it should be clear that it requires an HttpSession to work, which is IMHO not very Sling-ish. It's ok if you (really) want to use it, but people should be warned. Once you start using a session, you are not only preventing scalability, you also make it much harder to "go back" because people quickly see the short-term benefit of coding with a session and will put things into it until you have too much code depending on it.

> FORM Based Authentication
> -------------------------
>
>                 Key: SLING-1116
>                 URL: https://issues.apache.org/jira/browse/SLING-1116
>             Project: Sling
>          Issue Type: New Feature
>          Components: Extensions
>            Reporter: Eric Norman
>         Attachments: org.apache.sling.formauth.zip
>
>
> This is a new bundle that provides an implementation of forms based authentication for sling.
> There are two servlets:
> 1. LoginServlet - bound to /session/login
> 2. LogoutServlet - bound to /session/logout
> The FormAuthenticationHandler will use http basic auth credentials if they are on the request.  If there is no basic auth header, it will use attempt to use cached credentials stored on the server side by the LoginServlet.  
> The login form html is generated by a set of scripts
> 1. login.html.esp     - full login page (includes login_body.html.esp for the form markup)
> 2. login_body.html.esp   - just the login form, which may be useful for drawing the login form for an ajax context
> 3. loginError.html.esp   - full login-error page
> 4. loginError_body.html.esp  - just the login-error form, for login error in ajax context
> The above scripts are included as bundle-resources @ /libs/sling/servlet/default
> The bundle also has a couple of test scripts to show some examples of usage:
> 1. loginTest.html.esp  - shows who is logged in and links to login or logout
> 2. loginTest2.html.esp - shows how a script can check permissions and show a login page if the anonymous user doesn't have permission to see the page,
> Some examples of usage are:
> 1. http://host:port/path/to/node.login.html   - show the login page and then goto http://host:port/path/to/node after  authenticated
> 2. http://host:port/path/to/node.login.html?s=.edit.html   - show the login page and then goto http://host:port/path/to/node.edit.html after  authenticated
> 3. http://host:port/session/logout  - invalidate the session and switch back to anonymous user

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.