You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Marvin Phelps (JIRA)" <ji...@apache.org> on 2008/08/13 03:13:44 UTC

[jira] Created: (SLING-608) Provide Authentication Control

Provide Authentication Control
------------------------------

                 Key: SLING-608
                 URL: https://issues.apache.org/jira/browse/SLING-608
             Project: Sling
          Issue Type: Improvement
          Components: Documentation, JCR, Launchpad
    Affects Versions: Launchpad Webapp 3
            Reporter: Marvin Phelps


Sling sits atop a content repository - so there should be better examples of how to post versions and list versions. (mix:versionable). I managed to find out how to do this using the Day notes application. Secondly, it's now apparent to me that the LaunchPad webapp is using Jackrabbit's SimpleLoginModule and by default it allows access for every user: even http://doodoo:poopoo@localhost:8888/ Sling needs to have some authentication strategy built-in. With this stuff provided in Launchpad, Sling would be more usable out of the box.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (SLING-608) Provide Authentication Control

Posted by "Rory Douglas (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/SLING-608?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12622098#action_12622098 ] 

Rory Douglas commented on SLING-608:
------------------------------------

One way of improving the authentication aspect is to enable Jetty JAAS by adding the jetty-plus dependency, then configuring a <userRealm> in the launchpad/webapp pom.xml (in the configuration section of the maven-jetty-plugin).  You'll need to setup the usual J2EE security constraints in web.xml as well (possibly protecting the whole app).  The missing piece would be (I think) an implementation of AuthenticationHandler that just calls request.getRemoteUser(). I've gotten the first part of this to work using the basic PropertyFileLoginModule that comes with Jetty, though an LDAP or JDBC-based one would be more useful.

> Provide Authentication Control
> ------------------------------
>
>                 Key: SLING-608
>                 URL: https://issues.apache.org/jira/browse/SLING-608
>             Project: Sling
>          Issue Type: Improvement
>          Components: Documentation, JCR, Launchpad
>    Affects Versions: Launchpad Webapp 3
>            Reporter: Marvin Phelps
>
> Sling sits atop a content repository - so there should be better examples of how to post versions and list versions. (mix:versionable). I managed to find out how to do this using the Day notes application. Secondly, it's now apparent to me that the LaunchPad webapp is using Jackrabbit's SimpleLoginModule and by default it allows access for every user: even http://doodoo:poopoo@localhost:8888/ Sling needs to have some authentication strategy built-in. With this stuff provided in Launchpad, Sling would be more usable out of the box.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (SLING-608) Provide Authentication Control

Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/SLING-608?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12622108#action_12622108 ] 

Felix Meschberger commented on SLING-608:
-----------------------------------------

@Marvin:

You are right. We don't have much with respect to version support yet in our samples (and test cases). Michael's notes application is currently pending inclusing in Sling as a sample.

Regarding authentication: AFAIK Jackrabbit comes with no built-in user management out of the box (though there is an LDAP authentication handler and also support for JAAS IIRC). So we took the simple way in Sling to just include Jackrabbit out of the box with a default configuration. There should probably be better documenting on how to change this behaviour to use real user management.

Sling itself has an authentication strategy in that it has an authenticator which calls into AuthenticationHandlers to extract the user details from the request (support for HTTP BASIC authentication comes with Sling) and which then logs into the repository. All in all, the authentication strategy is to use the repository for authentication - provided the repository does something real here.

@Rory

Using the web server platform for user authentication would probably be the cause for a Sling AuthenticationHandler implementation. In this case the repository would have to be set up for JAAS authentication to be able to pick up the Credentials prepared by Sling's JAAS AuthenticationHandler.

> Provide Authentication Control
> ------------------------------
>
>                 Key: SLING-608
>                 URL: https://issues.apache.org/jira/browse/SLING-608
>             Project: Sling
>          Issue Type: Improvement
>          Components: Documentation, JCR, Launchpad
>    Affects Versions: Launchpad Webapp 3
>            Reporter: Marvin Phelps
>
> Sling sits atop a content repository - so there should be better examples of how to post versions and list versions. (mix:versionable). I managed to find out how to do this using the Day notes application. Secondly, it's now apparent to me that the LaunchPad webapp is using Jackrabbit's SimpleLoginModule and by default it allows access for every user: even http://doodoo:poopoo@localhost:8888/ Sling needs to have some authentication strategy built-in. With this stuff provided in Launchpad, Sling would be more usable out of the box.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.