You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Ian Boston <ie...@tfd.co.uk> on 2010/07/02 18:45:35 UTC
Http auth bundle in the list.
Hi
I notice that the extension http auth bundle is still in list.xml, however the Authentication hander does http basic by default if all else fails ?
are both still needed ?
Ian
Re: Http auth bundle in the list.
Posted by Justin Edelson <ju...@gmail.com>.
Theoretically, the httpauth bundle does slightly more than the default
handler in commons.auth. Namely, it can serve a form.
That said (which isn't actually saying much), I'd be +1 on dropping
httpauth. I think formauth has matured so that we should use that as the
default.
If someone wants/needs to add Digest support to the httpauth bundle,
that'd be a different story.
Justin
On 7/2/10 1:43 PM, Ray Davis wrote:
> If the httpauth bundle *is* still needed, then it might need revision,
> as it appears to interpret the "sling:authRequestLogin" request
> parameter in a way that conflicts with other authentication handlers.
>
> The request parameter "sling:authRequestLogin" is currently documented
> as a way to select which AuthenticationHandler receives a
> requestCredentials call. The OpenID authentication handler uses it in
> this fashion.
>
> However, httpauth's AuthorizationHeaderAuthenticationHandler uses it in
> another way. If "sling:authRequestLogin" is any non-null value, then its
> extractCredentials method requests basic authentication and returns
> "AuthenticationInfo.DOING_AUTH". Since extractCredentials calls occur
> first, this effectively blocks the requestCredentials logic.
>
> For example, using a current build of Sling trunk, with my only change
> being to open "/system/sling/openid/login" to anonymous access, I find
> that immediately after I submit the OpenID login form, I receive a basic
> authentication prompt from the browser. Only after I stop the
> org.apache.sling.httpauth bundle can OpenID authentication proceed as
> documented.
>
> What's the recommendation here?
>
> Thanks,
> Ray
>
> On 7/2/10 9:45 AM, Ian Boston wrote:
>> Hi
>>
>> I notice that the extension http auth bundle is still in list.xml,
>> however the Authentication hander does http basic by default if all
>> else fails ?
>> are both still needed ?
>>
>> Ian
>>
>>
Re: Http auth bundle in the list.
Posted by Ray Davis <ra...@media.berkeley.edu>.
If the httpauth bundle *is* still needed, then it might need revision,
as it appears to interpret the "sling:authRequestLogin" request
parameter in a way that conflicts with other authentication handlers.
The request parameter "sling:authRequestLogin" is currently documented
as a way to select which AuthenticationHandler receives a
requestCredentials call. The OpenID authentication handler uses it in
this fashion.
However, httpauth's AuthorizationHeaderAuthenticationHandler uses it in
another way. If "sling:authRequestLogin" is any non-null value, then its
extractCredentials method requests basic authentication and returns
"AuthenticationInfo.DOING_AUTH". Since extractCredentials calls occur
first, this effectively blocks the requestCredentials logic.
For example, using a current build of Sling trunk, with my only change
being to open "/system/sling/openid/login" to anonymous access, I find
that immediately after I submit the OpenID login form, I receive a basic
authentication prompt from the browser. Only after I stop the
org.apache.sling.httpauth bundle can OpenID authentication proceed as
documented.
What's the recommendation here?
Thanks,
Ray
On 7/2/10 9:45 AM, Ian Boston wrote:
> Hi
>
> I notice that the extension http auth bundle is still in list.xml, however the Authentication hander does http basic by default if all else fails ?
> are both still needed ?
>
> Ian
>
>