Http auth bundle in the list.

[Ian Boston <ie...@tfd.co.uk>]

Hi

I notice that the extension http auth bundle is still in list.xml, however the Authentication hander does http basic by default if all else fails ?
are both still needed ?

Ian

Re: Http auth bundle in the list.

[Justin Edelson <ju...@gmail.com>]

Theoretically, the httpauth bundle does slightly more than the default
handler in commons.auth. Namely, it can serve a form.

That said (which isn't actually saying much), I'd be +1 on dropping
httpauth. I think formauth has matured so that we should use that as the
default.

If someone wants/needs to add Digest support to the httpauth bundle,
that'd be a different story.

Justin

On 7/2/10 1:43 PM, Ray Davis wrote:
> If the httpauth bundle *is* still needed, then it might need revision,
> as it appears to interpret the "sling:authRequestLogin" request
> parameter in a way that conflicts with other authentication handlers.
> 
> The request parameter "sling:authRequestLogin" is currently documented
> as a way to select which AuthenticationHandler receives a
> requestCredentials call. The OpenID authentication handler uses it in
> this fashion.
> 
> However, httpauth's AuthorizationHeaderAuthenticationHandler uses it in
> another way. If "sling:authRequestLogin" is any non-null value, then its
> extractCredentials method requests basic authentication and returns
> "AuthenticationInfo.DOING_AUTH". Since extractCredentials calls occur
> first, this effectively blocks the requestCredentials logic.
> 
> For example, using a current build of Sling trunk, with my only change
> being to open "/system/sling/openid/login" to anonymous access, I find
> that immediately after I submit the OpenID login form, I receive a basic
> authentication prompt from the browser. Only after I stop the
> org.apache.sling.httpauth bundle can OpenID authentication proceed as
> documented.
> 
> What's the recommendation here?
> 
> Thanks,
> Ray
> 
> On 7/2/10 9:45 AM, Ian Boston wrote:
>> Hi
>>
>> I notice that the extension http auth bundle is still in list.xml,
>> however the Authentication hander does http basic by default if all
>> else fails ?
>> are both still needed ?
>>
>> Ian
>>
>>

Re: Http auth bundle in the list.

[Ray Davis <ra...@media.berkeley.edu>]

If the httpauth bundle *is* still needed, then it might need revision, 
as it appears to interpret the "sling:authRequestLogin" request 
parameter in a way that conflicts with other authentication handlers.

The request parameter "sling:authRequestLogin" is currently documented 
as a way to select which AuthenticationHandler receives a 
requestCredentials call. The OpenID authentication handler uses it in 
this fashion.

However, httpauth's AuthorizationHeaderAuthenticationHandler uses it in 
another way. If "sling:authRequestLogin" is any non-null value, then its 
extractCredentials method requests basic authentication and returns 
"AuthenticationInfo.DOING_AUTH". Since extractCredentials calls occur 
first, this effectively blocks the requestCredentials logic.

For example, using a current build of Sling trunk, with my only change 
being to open "/system/sling/openid/login" to anonymous access, I find 
that immediately after I submit the OpenID login form, I receive a basic 
authentication prompt from the browser. Only after I stop the 
org.apache.sling.httpauth bundle can OpenID authentication proceed as 
documented.

What's the recommendation here?

Thanks,
Ray

On 7/2/10 9:45 AM, Ian Boston wrote:
> Hi
>
> I notice that the extension http auth bundle is still in list.xml, however the Authentication hander does http basic by default if all else fails ?
> are both still needed ?
>
> Ian
>
>