You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by bu...@apache.org on 2013/04/29 03:14:59 UTC
svn commit: r860247 - in /websites/staging/sling/trunk/content: ./
documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
site/.htaccess
Author: buildbot
Date: Mon Apr 29 01:14:58 2013
New Revision: 860247
Log:
Staging update by buildbot for sling
Modified:
websites/staging/sling/trunk/content/ (props changed)
websites/staging/sling/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
websites/staging/sling/trunk/content/site/.htaccess
Propchange: websites/staging/sling/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Apr 29 01:14:58 2013
@@ -1 +1 @@
-1476874
+1476875
Modified: websites/staging/sling/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
==============================================================================
--- websites/staging/sling/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html (original)
+++ websites/staging/sling/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html Mon Apr 29 01:14:58 2013
@@ -99,7 +99,7 @@
<p>The Form Based AuthenticationHandler has two authentication phases: The first phase is presenting a login form to the user and passing the entered user name and password to the server. The second phase is storing successful authentication in a Cookie or an HTTP Session.</p>
<p>The implementation of the Form Based Authentication Handler follows the guidelines of the Servlet API 2.4 specification for <em>Form Based Authentication</em> in section SRV.12.5.3. Specifically the following requirements are implemented:</p>
<ul>
-<li>For the initial form submission, the request URL must end with <code>/j*security*check</code> and the user name and password names must be <code>j*username</code> and <code>j*password</code>, resp.</li>
+<li>For the initial form submission, the request URL must end with <code>/j_security_check</code> and the user name and password names must be <code>j_username</code> and <code>j_password</code>, resp.</li>
<li>The authentication type as returned by <code>HttpServletRequest.getAuthType()</code> is set to <code>HttpServletRequest.FORM_AUTH</code>.</li>
</ul>
<p>The Form Based Authentication Handler is maintained in the <a href="http://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form">Sling SVN</a></p>
@@ -115,11 +115,11 @@
<li><code>authenticationSucceeded</code> -- Set (or update) the Cookie or HTTP Session attribute</li>
</ul>
<h3 id="phase-1-form-submission">Phase 1: Form Submission</h3>
-<p>The login form submitted in phase 1 to validate the user name and password must be provided in an HTTP <code>POST</code> request to an URL whose last segment is <code>j*security*check</code>. The request is ignored as a form submission if either the method is not <code>POST</code> or the last segment is no <code>j*security*check</code>.</p>
+<p>The login form submitted in phase 1 to validate the user name and password must be provided in an HTTP <code>POST</code> request to an URL whose last segment is <code>j_security_check</code>. The request is ignored as a form submission if either the method is not <code>POST</code> or the last segment is no <code>j_security_check</code>.</p>
<p>The form is rendered by redirecting the client to the URL indicated by the <code>form.login.form</code> configuration parameter. This redirection request may accompanyied by the following parameters:</p>
<ul>
<li><code>resource</code> -- The resource to which the user should be redirected after successful login. This request parameter should be submitted back to the server as the <code>resource</code> parameter.</li>
-<li><code>j*reason</code> -- This parameter indicates the reason for rendering the login form. If this parameter is set, it is set to <code>INVALID*CREDENTIALS</code> indicating a previous form submission presented invalid username and password or <code>TIMEOUT</code> indicating a login session has timed out. The login form servlet/script can present the user with an appropriate message.</li>
+<li><code>j_reason</code> -- This parameter indicates the reason for rendering the login form. If this parameter is set, it is set to <code>INVALID_CREDENTIALS</code> indicating a previous form submission presented invalid username and password or <code>TIMEOUT</code> indicating a login session has timed out. The login form servlet/script can present the user with an appropriate message.</li>
</ul>
<p>The Form Based Authentication Handlers supports the following request parameters submitted by the HTML form:</p>
<ul>
@@ -129,7 +129,7 @@
<li><code>resource</code> -- The location to go to on successful login</li>
<li><code>sling.auth.redirect</code> -- The location to redirect to on successful login</li>
</ul>
-<p>The <code>j*username</code> and <code>j*password</code> parameters are used to create a JCR <code>SimpleCredentials</code> object to log into the JCR Repository.</p>
+<p>The <code>j_username</code> and <code>j_password</code> parameters are used to create a JCR <code>SimpleCredentials</code> object to log into the JCR Repository.</p>
<p>The <code>j_validate</code> parameter may be used to implement login form submission using AJAX. If this parameter is set to <code>true</code> (case-insensitive) the credentials are used to login and after success or failure to return a status code:</p>
<table>
<thead>
@@ -169,7 +169,7 @@
</tbody>
</table>
<p>The <code>resource</code> and <code>sling.auth.redirect</code> parameters provide similar functionality but with differing historical backgrounds. The <code>resource</code> parameter is based on the <code>resource</code> request attribute which is set by the login servlet to indicate the original target resource the client desired when it was forced to authenticate. The <code>sling.auth.redirect</code> parameter can be used by clients (applications like cURL or plain HTML forms) to request being redirected after successful login. If both parameters are set, the <code>sling.auth.redirect</code> parameter takes precedence.</p>
-<p>The Form Based Authentication Handler contains a <a href="http://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/AuthenticationFormServlet.java">default form servlet</a> and [HTML form template from|http://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form/src/main/resources/org/apache/sling/auth/form/impl/login.html].</p>
+<p>The Form Based Authentication Handler contains a <a href="http://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/AuthenticationFormServlet.java">default form servlet</a> and <a href="http://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form/src/main/resources/org/apache/sling/auth/form/impl/login.html">HTML form template</a>.</p>
<h3 id="phase-2-authenticated-requests">Phase 2: Authenticated Requests</h3>
<p>After the successful authentication of the user in phase 1, the authentication state is stored in a Cookie or an HTTP Session. The stored value is a security token with the following contents:</p>
<div class="codehilite"><pre><span class="n">HmacSHA1</span><span class="p">(</span><span class="n">securetoken</span><span class="p">,</span> <span class="sr"><securetokennumber><expirytime></span><span class="nv">@</span><span class="err"><</span><span class="nv">userID</span><span class="o">></span><span class="p">)</span><span class="nv">@</span><span class="err"><</span><span class="nv">securetokennumber</span><span class="o">></span><span class="sr"><expirytime></span><span class="nv">@</span><span class="err"><</span><span class="nv">userID</span><span class="o">></span>
@@ -247,7 +247,7 @@
</ol>
<p>To prevent eavesdroppers from sniffing the credentials or stealing the Cookie a secure transport layer should be used such as TLS/SSL, VPN or IPSec.</p>
<div class="timestamp" style="margin-top: 30px; font-size: 80%; text-align: right;">
- Rev. 1475804 by dklco on Thu, 25 Apr 2013 14:45:50 +0000
+ Rev. 1476875 by dklco on Mon, 29 Apr 2013 01:14:52 +0000
</div>
<div class="trademarkFooter">
Apache Sling, Sling, Apache, the Apache feather logo, and the Apache Sling project
Modified: websites/staging/sling/trunk/content/site/.htaccess
==============================================================================
--- websites/staging/sling/trunk/content/site/.htaccess (original)
+++ websites/staging/sling/trunk/content/site/.htaccess Mon Apr 29 01:14:58 2013
@@ -21,3 +21,4 @@ Redirect Permanent /site/adapters.html /
Redirect Permanent /site/apache-sling-commons-thread-pool.html /documentation/bundles/apache-sling-commons-thread-pool.html
Redirect Permanent /site/apache-sling-community-roles-and-processes.html /project-information/apache-sling-community-roles-and-processes.html
Redirect Permanent /site/authentication-actors.html /documentation/the-sling-engine/authentication/authentication-actors.html
+Redirect Permanent /site/form-based-authenticationhandler.html /documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
\ No newline at end of file