You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Jukka Zitting (Created) (JIRA)" <ji...@apache.org> on 2012/01/26 19:04:38 UTC
[jira] [Created] (JCR-3222) Allow servlet filters to specify custom
session providers
Allow servlet filters to specify custom session providers
---------------------------------------------------------
Key: JCR-3222
URL: https://issues.apache.org/jira/browse/JCR-3222
Project: Jackrabbit Content Repository
Issue Type: Improvement
Components: jackrabbit-jcr-server
Reporter: Jukka Zitting
Priority: Minor
In order to integrate the Jackrabbit davex server functionality with their custom authentication logic, the Sling project currently needs to embed and subclass the davex servlet classes. It would be cleaner if such tight coupling wasn't needed.
One way to achieve something like that would be to allow external components to provide a custom SessionProvider instance as an extra request attribute. This way for example a servlet filter that implements such custom authentication logic could easily make its functionality available to the standard davex servlet in Jackrabbit.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (JCR-3222) Allow servlet filters to specify
custom session providers
Posted by "Felix Meschberger (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-3222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13194699#comment-13194699 ]
Felix Meschberger commented on JCR-3222:
----------------------------------------
> That's what the HttpContext.handleSecurity() method does, right? It's needs to be able to take over the entire processing of a request.
No, this is called by the Http Service before calling the servlet. The handleSecurity method either returns true in which case the servlet is called or false in which case the request is terminated and the servlet is not called.
The handleSecurity method must set up to three request attributes which are used to implement HttpServletRequest methods (getRemoteUser, getAuthType, getUserPrincipal). In addition the Sling implementation could provide the ResourceResolver (what we do in the Sling DavEx bundle.
The handleSecurity method could of course set the SessionProvider, too. But I don't like this -- special case handling affecting all but used by one only.
In addtion: unless you will be implementing a special proxy SessionProvider looking for the actual provider on each request, the getSessionProvider() method is AFAICT only called once no matter how many different SessionProviders are found in the request attributes... The SessionProvider is not something request specific but something setup specific. Hence a service and not request attribute.
> Allow servlet filters to specify custom session providers
> ---------------------------------------------------------
>
> Key: JCR-3222
> URL: https://issues.apache.org/jira/browse/JCR-3222
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-jcr-server
> Reporter: Jukka Zitting
> Priority: Minor
> Attachments: JCR-3222-fmeschbe.patch, jackrabbit-jcr-server-2.6-SNAPSHOT.jar
>
>
> In order to integrate the Jackrabbit davex server functionality with their custom authentication logic, the Sling project currently needs to embed and subclass the davex servlet classes. It would be cleaner if such tight coupling wasn't needed.
> One way to achieve something like that would be to allow external components to provide a custom SessionProvider instance as an extra request attribute. This way for example a servlet filter that implements such custom authentication logic could easily make its functionality available to the standard davex servlet in Jackrabbit.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (JCR-3222) Allow servlet filters to specify
custom session providers
Posted by "Felix Meschberger (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-3222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13194507#comment-13194507 ]
Felix Meschberger commented on JCR-3222:
----------------------------------------
> The Sling authentication code needs to be able to take over the entire processing of a request instead of just servicing a getSession() call.
This is wrong.
The DavexServletService is registered as a servlet service and gets processing the request from the service call. A service in OSGi registered along with an Osgi HttpContext object which has a handleSecurity method, which handles authentication before the servlet is even called. By having a contextId service property a whiteboard servlet service can refer to a whiteboard HttpContext service which implements that method accordingly.
Thus my patch allows to plug a HttpContext service which we in Sling can provide to call the Sling authentication processing. This then makes the ResourceResolver and hence the Session available to the servlet.
Inside the servlet, the patch implements the getSessionProvider method to return a proxy SessionProvider which either provides a registered SessionProvider service or returns the default from the parent class. Sling will den provide a SessionProvider service which knows about the Sling authentication and can extract the session from the ResourceResolver.
Existing uses of the JcrRemotingServlet need not be changed as does the JcrRemotingServlet. Everything is done in the DavexServletService with proper OSGi oriented actions -- except for the ResourceResolver defined as a request attribute, which we already have.
> Allow servlet filters to specify custom session providers
> ---------------------------------------------------------
>
> Key: JCR-3222
> URL: https://issues.apache.org/jira/browse/JCR-3222
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-jcr-server
> Reporter: Jukka Zitting
> Priority: Minor
> Attachments: JCR-3222-fmeschbe.patch, jackrabbit-jcr-server-2.6-SNAPSHOT.jar
>
>
> In order to integrate the Jackrabbit davex server functionality with their custom authentication logic, the Sling project currently needs to embed and subclass the davex servlet classes. It would be cleaner if such tight coupling wasn't needed.
> One way to achieve something like that would be to allow external components to provide a custom SessionProvider instance as an extra request attribute. This way for example a servlet filter that implements such custom authentication logic could easily make its functionality available to the standard davex servlet in Jackrabbit.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (JCR-3222) Allow servlet filters to specify custom
session providers
Posted by "Jukka Zitting (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-3222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jukka Zitting updated JCR-3222:
-------------------------------
Attachment: 0001-JCR-3222-Allow-servlet-filters-to-specify-custom-ses.patch
> But I don't like this -- special case handling affecting all but used by one only.
You don't have the same concern about injecting the ResourceResolver instance as a request attribute? Just like the OSGi service space, the attributes support in servlet requests (or servlet context, etc.) is a whiteboard shared by multiple providers and consumers. Why would adding a properly namespaced attribute affect anyone but the consumer of that attribute?
Additionally, the AuthHttpContext class in the Sling davex bundle is already designed specifically for the needs of the davex servlet (it needs to interpret the workspace part of the URL). So I don't see how this would affect anyone but the davex servlet.
Anyway, I guess we should simply allow both approaches and let downstream users decide which mechanism they want to use.
PS. Sorry about uploading the wrong file above... :-) I've uploaded the actual patch.
> Allow servlet filters to specify custom session providers
> ---------------------------------------------------------
>
> Key: JCR-3222
> URL: https://issues.apache.org/jira/browse/JCR-3222
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-jcr-server
> Reporter: Jukka Zitting
> Priority: Minor
> Attachments: 0001-JCR-3222-Allow-servlet-filters-to-specify-custom-ses.patch, JCR-3222-fmeschbe.patch, jackrabbit-jcr-server-2.6-SNAPSHOT.jar
>
>
> In order to integrate the Jackrabbit davex server functionality with their custom authentication logic, the Sling project currently needs to embed and subclass the davex servlet classes. It would be cleaner if such tight coupling wasn't needed.
> One way to achieve something like that would be to allow external components to provide a custom SessionProvider instance as an extra request attribute. This way for example a servlet filter that implements such custom authentication logic could easily make its functionality available to the standard davex servlet in Jackrabbit.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (JCR-3222) Allow servlet filters to specify
custom session providers
Posted by "Felix Meschberger (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-3222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13194074#comment-13194074 ]
Felix Meschberger commented on JCR-3222:
----------------------------------------
Unfortunately this is a compiled library and I cannot see, what's changed ....
But then, somehow this feels like official Reflection Programming ....
How about using OSGi services ?
(0) The DavexServletService is already registered as a Servlet service for Whiteboard Http Service registration
(1) We could add a contextId configuration which could be configured to refer to a HttpContext service used by the Whiteboard registration
(2) Support a SessionProvider service providing pluggability
Sling (or other OSGi based use cases) could then just provide the missing pieces.
Will provide a proposed patch.
> Allow servlet filters to specify custom session providers
> ---------------------------------------------------------
>
> Key: JCR-3222
> URL: https://issues.apache.org/jira/browse/JCR-3222
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-jcr-server
> Reporter: Jukka Zitting
> Priority: Minor
> Attachments: jackrabbit-jcr-server-2.6-SNAPSHOT.jar
>
>
> In order to integrate the Jackrabbit davex server functionality with their custom authentication logic, the Sling project currently needs to embed and subclass the davex servlet classes. It would be cleaner if such tight coupling wasn't needed.
> One way to achieve something like that would be to allow external components to provide a custom SessionProvider instance as an extra request attribute. This way for example a servlet filter that implements such custom authentication logic could easily make its functionality available to the standard davex servlet in Jackrabbit.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (JCR-3222) Allow servlet filters to specify
custom session providers
Posted by "Jukka Zitting (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-3222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13194180#comment-13194180 ]
Jukka Zitting commented on JCR-3222:
------------------------------------
I considered the OSGi whiteboard pattern for this, but it doesn't work for the Sling davex bundle. The Sling authentication code needs to be able to take over the entire processing of a request instead of just servicing a getSession() call. Thus a Sling component that interacts with the default Jackrabbit davex servlet in any case needs to be set up as a servlet filter (or a subclass like it currently is). Therefore passing the appropriate SessionProvider as a request attribute is IMHO a much more straightforward solution. And it works nicely also in non-OSGi deployments.
> Allow servlet filters to specify custom session providers
> ---------------------------------------------------------
>
> Key: JCR-3222
> URL: https://issues.apache.org/jira/browse/JCR-3222
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-jcr-server
> Reporter: Jukka Zitting
> Priority: Minor
> Attachments: JCR-3222-fmeschbe.patch, jackrabbit-jcr-server-2.6-SNAPSHOT.jar
>
>
> In order to integrate the Jackrabbit davex server functionality with their custom authentication logic, the Sling project currently needs to embed and subclass the davex servlet classes. It would be cleaner if such tight coupling wasn't needed.
> One way to achieve something like that would be to allow external components to provide a custom SessionProvider instance as an extra request attribute. This way for example a servlet filter that implements such custom authentication logic could easily make its functionality available to the standard davex servlet in Jackrabbit.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (JCR-3222) Allow servlet filters to specify
custom session providers
Posted by "Jukka Zitting (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-3222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13194663#comment-13194663 ]
Jukka Zitting commented on JCR-3222:
------------------------------------
> This is wrong.
That's what the HttpContext.handleSecurity() method does, right? It's needs to be able to take over the entire processing of a request.
> By having a contextId service property a whiteboard servlet service can refer to a whiteboard
> HttpContext service which implements that method accordingly.
You need some code to actually implement the HttpContext interface. That code could simply do request.setAttribute(SessionProvider.class.getName(), customSessionProvider) in the handleSecurity() method, right? I don't see why the SessionProvider instance would need to be an OSGi service in this case.
Of course, if there is a case why some component would want to implement the SessionProvider interface without the ability to terminate request processing or to send a custom HTTP response, then I could see why accessing SessionProviders as OSGi services would be useful. In such a case though, we should support potentially more than just a single SessionProvider service and make sure that the releaseSession() calls get routed to the correct provider (which your current patch doesn't guarantee).
> Allow servlet filters to specify custom session providers
> ---------------------------------------------------------
>
> Key: JCR-3222
> URL: https://issues.apache.org/jira/browse/JCR-3222
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-jcr-server
> Reporter: Jukka Zitting
> Priority: Minor
> Attachments: JCR-3222-fmeschbe.patch, jackrabbit-jcr-server-2.6-SNAPSHOT.jar
>
>
> In order to integrate the Jackrabbit davex server functionality with their custom authentication logic, the Sling project currently needs to embed and subclass the davex servlet classes. It would be cleaner if such tight coupling wasn't needed.
> One way to achieve something like that would be to allow external components to provide a custom SessionProvider instance as an extra request attribute. This way for example a servlet filter that implements such custom authentication logic could easily make its functionality available to the standard davex servlet in Jackrabbit.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (JCR-3222) Allow servlet filters to specify custom
session providers
Posted by "Jukka Zitting (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-3222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jukka Zitting updated JCR-3222:
-------------------------------
Attachment: jackrabbit-jcr-server-2.6-SNAPSHOT.jar
Proposed patch.
> Allow servlet filters to specify custom session providers
> ---------------------------------------------------------
>
> Key: JCR-3222
> URL: https://issues.apache.org/jira/browse/JCR-3222
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-jcr-server
> Reporter: Jukka Zitting
> Priority: Minor
> Attachments: jackrabbit-jcr-server-2.6-SNAPSHOT.jar
>
>
> In order to integrate the Jackrabbit davex server functionality with their custom authentication logic, the Sling project currently needs to embed and subclass the davex servlet classes. It would be cleaner if such tight coupling wasn't needed.
> One way to achieve something like that would be to allow external components to provide a custom SessionProvider instance as an extra request attribute. This way for example a servlet filter that implements such custom authentication logic could easily make its functionality available to the standard davex servlet in Jackrabbit.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (JCR-3222) Allow servlet filters to specify
custom session providers
Posted by "Jukka Zitting (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-3222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jukka Zitting resolved JCR-3222.
--------------------------------
Resolution: Fixed
Fix Version/s: 2.4
Assignee: Jukka Zitting
OK, I've now combined the two approaches. Revision 1236819 is my original patch and revision 1236821 a modified version of Felix' patch with support for potentially more than just a single external SessionProvider service. Note that the request attribute mechanism works for all webdav servlets, while the OSGi service mechanism only works for the davex servlet (since it's the only servlet configured as an OSGi service).
Additionally in revision 1236820 I moved some extra SessionProviderImpl code (added in JCR-2539 and JCR-2542) to the JCRWebdavServlet class where it belongs better. That clears up the SessionProvider API contract and avoids breaking functionality when using custom SessionProvider implementations.
Merged to the 2.4 branch in revision 1236837.
> Allow servlet filters to specify custom session providers
> ---------------------------------------------------------
>
> Key: JCR-3222
> URL: https://issues.apache.org/jira/browse/JCR-3222
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-jcr-server
> Reporter: Jukka Zitting
> Assignee: Jukka Zitting
> Priority: Minor
> Fix For: 2.4
>
> Attachments: 0001-JCR-3222-Allow-servlet-filters-to-specify-custom-ses.patch, JCR-3222-fmeschbe.patch, jackrabbit-jcr-server-2.6-SNAPSHOT.jar
>
>
> In order to integrate the Jackrabbit davex server functionality with their custom authentication logic, the Sling project currently needs to embed and subclass the davex servlet classes. It would be cleaner if such tight coupling wasn't needed.
> One way to achieve something like that would be to allow external components to provide a custom SessionProvider instance as an extra request attribute. This way for example a servlet filter that implements such custom authentication logic could easily make its functionality available to the standard davex servlet in Jackrabbit.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (JCR-3222) Allow servlet filters to specify custom
session providers
Posted by "Felix Meschberger (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-3222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger updated JCR-3222:
-----------------------------------
Attachment: JCR-3222-fmeschbe.patch
Proposed patch enhancing DavexServletService
> Allow servlet filters to specify custom session providers
> ---------------------------------------------------------
>
> Key: JCR-3222
> URL: https://issues.apache.org/jira/browse/JCR-3222
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-jcr-server
> Reporter: Jukka Zitting
> Priority: Minor
> Attachments: JCR-3222-fmeschbe.patch, jackrabbit-jcr-server-2.6-SNAPSHOT.jar
>
>
> In order to integrate the Jackrabbit davex server functionality with their custom authentication logic, the Sling project currently needs to embed and subclass the davex servlet classes. It would be cleaner if such tight coupling wasn't needed.
> One way to achieve something like that would be to allow external components to provide a custom SessionProvider instance as an extra request attribute. This way for example a servlet filter that implements such custom authentication logic could easily make its functionality available to the standard davex servlet in Jackrabbit.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira