You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2017/10/18 23:18:04 UTC
[sling-org-apache-sling-auth-core] branch master created (now
a8510eb)
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-auth-core.git.
at a8510eb SLING-7167 Adjust READMEs
This branch includes the following new commits:
new 454cc31 SLING-1650 Consolidate authentication stuff in a new auth component; * rename commons/auth to auth/core * rename extensions/formauth to auth/form * rename extensions/openidauth to auth/openid
new 4fba8e8 SLING-1650 Refactor auth/core, auth/form, auth/openid for the new packages identifying the auth component and refer to the new auth/core for the authentication handlers.
new ac98f4a SLING-1656 Unconditionally send back a 401/UNAUTHORIZED response from the requestCredentials method if no other authentication handler was willing to request credentials. Same for the extractCredentials method: The built-in HTTP Basic handler is only called if no other credentials handler was willing to handle the request. So the handler will first try to extract the authentication header and if missing request credentials if the sling:authRequestLogin parameter is set t [...]
new f3812ed SLING-1654 Only set the Resource Resolver as a request attribute (besides the attributes required the by OSGi Http Service spec).
new 2593427 SLING-1654 - cleanup javadoc
new c73a495 Fix javadocs
new a2c9ff1 SLING-1593 Decouple authentication mechanism from JCR
new d9e2359 SLING-1668 dynamically import the JCR API
new b5ac5c0 SLING-1669 Only set the "resource" target request attribute to the request URL if neither the parameter is present nor the attribute is already set.
new 4e7b299 Code format
new 41eeb28 SLING-1679 Use Apache Felix SCR Annotations (instead of @scr JavaDoc tags)
new e760126 SLING-1678 Add support to disable built-in HTTP Basic Authentication Handler SLING-1679 Use Apache Felix SCR Annotations (instead of @scr JavaDoc tags)
new c5c8561 SLING-1678 Metatype Service labels
new 6f2e5eb Set JIRA version id and fix JavaDoc exclusions
new d54ca7c Update to Sling API 2.1.0
new b6b5b47 [maven-release-plugin] prepare release org.apache.sling.auth.core-1.0.0
new 109ad63 [maven-release-plugin] prepare for next development iteration
new b6074a7 SLING-1686 - adding post processing for fallback basic auth handler
new fda6c50 SLING-1688 Add built-in HTTP Basic authentication handler to Web Console Authenticator page if not disabled
new 1446fc9 Fix JIRA version ID for the 1.0.2 release
new 85c043d [maven-release-plugin] prepare release org.apache.sling.auth.core-1.0.2
new a215ecb [maven-release-plugin] prepare for next development iteration
new 8a8de78 SLING-1712 use a Map<String, List<String>> to prepare the authentication handlers to present them on the Authenticator page in the Web Console
new 881f144 SLING-1716 Ensuere resource resolver is closed if request is intended to be terminated
new 9dadfa2 SLING-1717 Provide resource resolver as request attribute before calling custom AuthenticationFeedbackHandler for successful login
new 4dd71ad typo in comment...
new 66264e3 SLING-1742 Just set the status to send back the 401 response instead of using sendError
new 7a145a5 SLING-1752 Unify resource attribute/parameter setting and default value handling
new 2b042e0 SLING-1752 Increment micro version of the spi package export because we added a new method to the AbstractAuthenticationHandler
new 779ef8f SLING-1783 Make the use of the j_reason request attribute to inform about failures for authentication official
new 06e2eef SLING-1752 export with an even micro number to align with bundle versioning scheme
new a9d30fb SLING-1783 Add @since tag for new constant
new 019b2ca SLING-1785 Provide helper method to redirect the client to request credentials supporting a redirect target and optional requets parameters with sensible support defaulting the "resource" request parameter to send the client back to the originally request target (including optional request parameters)
new f3d7c95 Handle empty redirect target due to empty context path ourselves instead of using side-effect prone setLoginResourceAttribute
new 51859ef SLING-1428 Don't "handle" login failure if the AuthenticationFeedbackHandler already committed a response.
new e26897c SLING-1428 Implement generalized support for validating credentials supplied by a request using the j_validate request parameter.
new 2a6ff5b SLING-1745 No redirect to login form for AJAX requests (403 instead) SLING-1400 Use 401 if possible for failed authentication of non-browser requests (fallback to 403)
new 19445d5 SLING-1745/SLING-1400 This patch file does not belong to SVN
new b4513dd SLING-1817 switch HTTP Basic Authentication completely off by default
new 1850c10 SLING-1817 revert the changes to first discuss it in detail
new 7469375 SLING-1831 Recognize redirect loop by comparing the Referer header (if set) with the current request and only call the authentication handlers if no equal. Also provide a sensible default authentication failure reason as part of the handleLoginFailure method handling LoginException. Finally send back the authentication failure as response content (text/plain, UTF-8) in addition to setting it as the X-Reason response header.
new 996fa36 SLING-1831 Try to send 401/UNAUTHORIZED instead of 403/FORBIDDEN if a loop is detected
new be27176 SLING-1841 Send cache control headers to prevent caching the result and set content type to prevent Firefox from trying to parse the result if requesting with an XHR request
new 14311f0 updating all modules to parent 10-SNAPSHOT in anticipation of emma additions to parent
new 403741c fixing relativePaths
new db99b2c SLING-1855 Correctly set the form action path deduced not only from the request context path but also the actual resource the user wants to access to make sure the form response hits the correct authentication handler
new b12419b SLING-1869 - upgrading to latest SCR plugin and putting scr.annotations in parent
new 194c0ff Update to recent snapshots
new 65ee530 Use latest releases.
new f88679a [maven-release-plugin] prepare release org.apache.sling.auth.core-1.0.4
new 69755e4 [maven-release-plugin] prepare for next development iteration
new e551d42 SLING-1932 - fixing SLING-1932. if requestContextPath is "/", make it "". also adding a unit test
new 1d9674f fixing SLING-1933 by introducing a new variable contextPath which just contains the contextPath
new 139a323 better fix for SLING-1932
new 97a24c2 fixing SLING-1940 - resource attribute/param should be a full path, including the servlet context.
new ab6f6d7 [maven-release-plugin] prepare release org.apache.sling.auth.core-1.0.6
new 2857783 [maven-release-plugin] prepare for next development iteration
new fde6e48 SLING-2126 Add helper method to validate a target to redirect to after logging in. Also use this method in the redirects in the DefaultAuthenticationFeedbackHandler and AbstractAuthenticationHandler. Finally, since we add a method, increase the micro version number for clients to be able properly require the implementation.
new c954c73 SLING-2150 : Update plugins to use the latest available versions
new 3b73525 Update to recent snapshot
new ac5f69b Using latest released parent pom
new b4861b2 SLING-2187 - adding new module to contain our custom notice file; adding remote-resources plugin configuration to parent pom and removing all existing appended-resources NOTICE files
new eee98a2 temporarily using snapshots during release vote
new 6547b1e using latest releases
new d90af5a SLING-2266 Don't pass requests intended to be handled and terminated by authentication handlers
new d1fa7c5 SLING-2267 Upgrade to Maven Bundle plugin 2.3.4 and make use of BND package level annotations for package exports
new d7a3eaf SLING-2080 Apply slightly modified patch by Angela Schreiber (thank you very much)
new 9f6fd29 Subtle casing bug causes build to break ....
new 5f7ab7b SLING-2165 Form based login failure should stay on the same login page to show the login error
new f5e8487 SLING-2287 Check the redirect target for the redirect after logging out. Also ensure the target is prefixed with the context path
new a5f6ab5 SLING-2287 Don't use the servlet context path as the default login resource because the actual redirect will automatically prefix the servlet context path
new 5447c7b SLING-2287 Need the AuthUtil class for checking the valid redirect
new 2858a09 Fix log message to properly indicate the method it is logged in
new ce607b7 SLING-2126 Move tests from AbstractAuthenticationHandlerTest to AuthUtilTest for methods moved to the new AuthUtil class. Adapt AbstractAuthenticationHandler and DefaultAuthenticationFeedbackHandler to use the new AuthUtil class.
new d77e43b SLING-2280 Implement Option 4: HTTP Basic Handler is fully enabled ignoring any conflicting configuration if anonymous access is disabled. This causes the HTTP Basic Handler to operate as a proper fallback for authentication. If anonymous access is allowed the HTTP Basic enablement configuration is still followed.
new 6f49314 SLING-2280 Implement Option 2: Support AuthenticationHandler service registration property to indicate that browser requests are supported only.
new cd6fc19 SLING-2276 Provide functionality to configure a user to be used for anonymous requests
new efc1ccb SLING-2299 Consolidate utility methods in AuthUtil and constants in AuthConstants and adapt uses. Existing methods (mostly in AbstractAuthenticationHandler) are deprecated but remain implemented calling the new AuthUtil methods. The SlingAuthentication.isBrowserRequest (which was wrong) is also replaced by the AuthUtil.isBrowserRequest method (analyzing the User-Agent).
new 53ffb71 SLING-2300 Fixing support for AuthenticationInfo post processing: For anonymous requests, the AuthenticationInfo instance should always be prepared (even if it is just an empty map). This instance is then passed to the post processors and later used to access the anonymous resource resolver. In addition the J_WORKSPACE constant is removed from the AuthConstants class again because Auth Core has nothing to do with workspaces.
new cf580ff SLING-2318 Properly check the response whether it is committed and reset the output buffer before generating the response.
new 75c9f1f SLING-2329 Fix loop prevention - Implement authenticationFailed method for HTTP Basic Authentication Handler to force the client to provide different credentials - Send 403/FORBIDDEN if a browser client causes a redirect loop (instead of having the HTTP Basic handler send 401
new a8ed58f SLING-2329 Fix loop prevention - credential validations must not be replied to with a 401 (403 is expected here)
new 70095d3 SLING-2337 - introduce a flag which, if set as a request attribute, skips the session closing. Inline this constant into auth.core and engine so as to avoid requiring the new API bundle.
new acde516 SLING-2349 - adding login and logout events
new cdfcd13 SLING-2349 - changing auth handler class event property to auth type
new b1c6174 SLING-2165 fixed regression loading the login page of the launchpad
new 5e9f982 SLING-2360 Improve redirect path validity test - target must start with servlet context path - target minus servlet context path must be absolute - accept target resolving to an existing resource - check target for illegal characters if no resource resolver is available or if it does not resolve to an existing resource - add more unit tests
new a4a4c16 SLING-2360 Ensure requesting the serlvet context root path does not fail
new 6b064cf SLING-2337 Revert commit #1221545
new a5e2527 SLING-2349 - changing login event producing logic to be based on an AuthenticationInfo property (thanks Felix!)
new 8b85291 SLING-2383 Redirect to servlet context root if the target path is not valid
new 8c9ee57 SLING-2390 Ensure sling.auth.redirect request parameter is respected if impersonation state changes
new d5f5ad6 SLING-2391 Ensure impersonation cookie is cleared on logout
new ddd5650 SLING-2392 Synchronize AuthUtil.isRedirectValid and AuthUtil.sendRedirect for their expectation regarding the target path argument: Both expect the path to be prefixed with the request context path. The old AbstractAuthenticationHandler.sendRedirect is changed such that it prefixes the target with the servlet context path before calling AuthUtil.sendRedirect because we cannot change the semantics of the old method without breaking the API contract. Also remove useless @s [...]
new d91e3af SLING-2441 - allowing put(AUTH_TYPE, null) in AuthenticationInfo. Bumping export version as it is an API change.
new 2b45799 SLING-2480 : Add config for maven-sling-plugin to m2e configuration
new e6409b1 Revert "SLING-2441 - allowing put(AUTH_TYPE, null) in AuthenticationInfo. Bumping export version as it is an API change."
new 0acf6da Update to latest parent pom
new d9f62a2 Use released versions
new 97affaf [maven-release-plugin] prepare release org.apache.sling.auth.core-1.1.0
new 370dd89 [maven-release-plugin] prepare for next development iteration
new 146de46 Use latest releases and update to new parent pom
new fbf2dd4 Update to latest parent pom and use latest releases in launchpad
new 63545b1 SLING-2592 Patch from Dominik Smogór applied, thank you. Fixes siruation where additional AuthenticationHandlers are ignored for checking protected resources and probably on consulting those authentication handlers for specific paths.
new ac8718a Managed versions of these plugins/dependencies are > the pom version so fix made in SLING-2267 r1198746 is not longer required. The impact of binding to the managed version of bnd is that the serviceComponents are listed in the manifest.
new aaa194e SLING-2812 : Access to handler map is not correctly synchronized
new a76f97e [maven-release-plugin] prepare release org.apache.sling.auth.core-1.1.2
new b3639dd [maven-release-plugin] prepare for next development iteration
new 8e908da Correct reactor pom and update to parent pom 16
new f385892 SLING-2966 : Insufficient synchronization in SlingAuthenticator
new 3fa38cb SLING-2974 : XSS vulnerability in AbstractAuthenticationFormServlet
new e06dea8 Update to latest parent pom
new beeda5d Update to parent pom 18
new 478b62b Revert to old maven bundle plugin if DynamicImport-Package is used
new 3475f83 SLING-2998 SlingAuthenticator fails because of pathInfo being null
new f2210e7 SLING-3079 : Move constant for "sling.auth.requirements" to AuthConstants
new 81b61a5 SLING-2615 : allow the LogoutServlet to be configured to only respond to POST requests
new d1cd9aa SLING-3141 : AbstractAuthenticationFormServlet should make sure resource is a valid redirect
new 10e5679 [maven-release-plugin] prepare release org.apache.sling.auth.core-1.1.4
new 72ecf59 [maven-release-plugin] prepare for next development iteration
new 4a8d3a7 SLING-3271 : Properly xml escape web console output
new 62acb53 SLING-3286 - Remove plugin version overrides from poms
new d35f84c SLING-3286 - Remove plugin version overrides from poms
new e1d3ebe [maven-release-plugin] prepare release org.apache.sling.auth.core-1.1.6
new 7cef26a [maven-release-plugin] prepare for next development iteration
new e330cdf Update to parent pom v19
new 81b8899 SLING-3488 : Redirect after authentication breaks with context path
new 193fb1a SLING-3492 use / as default when path is empty
new 5abb8f6 SLING-3794 : Fields for dynamic references must be volatile
new ab4432a Updated to parent version 20
new ffc772a [maven-release-plugin] prepare release org.apache.sling.auth.core-1.1.8
new 325bb7b [maven-release-plugin] prepare for next development iteration
new 2601837 SLING-3905 : Support Password Expired In Sling Authenticator. Apply slightly modified patch from Dominique Jäggi
new 0b59440 [maven-release-plugin] prepare release org.apache.sling.auth.core-1.2.0
new ab102e4 [maven-release-plugin] prepare for next development iteration
new 5e344aa SLING-3922 : Login Failure Reason Code Not Propagated In AuthUtil#sendInvalid. Apply patch from Dominique Jäggi
new ea59e08 SLING-3936 - Poor performance when adding a large (?) number of sling.auth.requirements services
new e78957b [maven-release-plugin] prepare release org.apache.sling.auth.core-1.3.0
new 7e9d5db [maven-release-plugin] prepare for next development iteration
new 469a868 Update to Sling Parent POM 22 with baselining enabled
new 3275522 SLING-3991 - Support Password Change Upon Expiry Via SimpleCredentials Attribute (applied patch from Dominique Jaeggi)
new 3d9dc6e [maven-release-plugin] prepare release org.apache.sling.auth.core-1.3.2
new 1b1884b [maven-release-plugin] rollback the release of org.apache.sling.auth.core-1.3.2
new 4e6940c [maven-release-plugin] prepare release org.apache.sling.auth.core-1.3.2
new 67ee697 [maven-release-plugin] prepare for next development iteration
new 23e4871 SLING-4203 - Remove the configurable option for auth.newpassword.parameter
new 7106325 [maven-release-plugin] prepare release org.apache.sling.auth.core-1.3.4
new b63ac99 [maven-release-plugin] prepare for next development iteration
new a2f2c4f SLING-4399 - Regression in the SlingAuthenticator
new c86273e [maven-release-plugin] prepare release org.apache.sling.auth.core-1.3.6
new 8998a8a [maven-release-plugin] prepare for next development iteration
new 7631f56 SLING-4698 - Set parent.relativePath to empty for all modules
new 08ed93d Update to Sling Parent 23
new fe5b7ff SLING-4785 - sling.auth.requirements is ignored on expired credentials
new 315231d [maven-release-plugin] prepare release org.apache.sling.auth.core-1.3.8
new e2effac [maven-release-plugin] prepare for next development iteration
new 0f34d2f set parent version to 24 and add empty relativePath where missing
new 3df0dfc SLING-4864 - SlingAuthenticator should handle empty path for anonymous resources
new 031b7b2 [maven-release-plugin] prepare release org.apache.sling.auth.core-1.3.10
new b0128bb [maven-release-plugin] prepare for next development iteration
new d48e957 Update the main reactor to parent 25
new 310d41b SLING-5116 - Communicate Password Change Failure Reason During Password Expiry
new d176cc7 SLING-5116 - Communicate Password Change Failure Reason During Password Expiry (applied patch from Dominique Jaeggi)
new 0aaa60d SLING-5141 - Expose Oak's Login Failures in Authenticator Reason (applied patch from Dominique Jaeggi thanks!)
new b919869 [maven-release-plugin] prepare release org.apache.sling.auth.core-1.3.12
new 4812a1a [maven-release-plugin] prepare for next development iteration
new d2388e0 SLING-5188 - Some WebConsole plugins are placed in the 'main' category
new 048dca5 Switch to parent pom 26
new e9e73f1 SLING-5629 : redirectAfterLogout prepends servlet context to the target, when it's already there. Apply patch from Guillaume Lucazeau
new cedfb24 SLING-5639 - SlingAuthenticator ignore the path
new 27d2d7b [maven-release-plugin] prepare release org.apache.sling.auth.core-1.3.14
new 687d3bb [maven-release-plugin] prepare for next development iteration
new 9f52c30 SLING-5625 - Unable to impersonate user with surrogate pair character
new 6730f30 [maven-release-plugin] prepare release org.apache.sling.auth.core-1.3.16
new ccabb96 [maven-release-plugin] prepare for next development iteration
new 2531f36 SLING-5960 : Clarify AUTH_REQUIREMENTS service registration property
new df933ab Update to parent pom 28
new 91d7a76 SLING-5792 : API to manage Authentication Requirement
new 83ff1f3 SLING-5792 : API to manage Authentication Requirement. Add first implementation and add test based on patch provided by Angela Schreiber
new 51336e7 SLING-5792 : API to manage Authentication Requirement. Add first implementation and add test based on patch provided by Angela Schreiber
new 27e8364 SLING-5792 : API to manage Authentication Requirement. Implement equals and compareTo
new 8beeeae SLING-5792 : API to manage Authentication Requirement. Fix dependency to commons.osgi
new 6d2b18f SLING-5792 : API to manage Authentication Requirement. Use PropertiesUtil instead of OsgiUtil
new 8a99c89 SLING-5795 : Reverting Allow for adding/removing individual AuthenticationRequirementHolder entries
new df8ac90 SLING-5993 : Improve auth requirement whiteboard implementation
new eea4ba6 SLING-5993 : Improve auth requirement whiteboard implementation
new 904e438 SLING-6011 : Register request listener through http whiteboard
new 12ea8c7 [maven-release-plugin] prepare release org.apache.sling.auth.core-1.3.18
new af6fe1c [maven-release-plugin] prepare for next development iteration
new 9624d23 SLING-6052 - Broken impersonation
new 0d14d67 [maven-release-plugin] prepare release org.apache.sling.auth.core-1.3.20
new fdff5ed [maven-release-plugin] prepare for next development iteration
new 4631876 SLING-6275 - Unable to impersonate user with surrogate pair character
new 606e975 SLING-6275 - Unable to impersonate user with surrogate pair character
new d0d778d @releng fixing javadoc
new 6ce5bb8 [maven-release-plugin] prepare release org.apache.sling.auth.core-1.3.22
new 9da34ae [maven-release-plugin] prepare for next development iteration
new f607c50 @releng fixing javadoc
new c46e50c @releng fixing javadoc
new 272c8f4 @releng fixing javadoc
new 043178e @releng fixing javadoc
new 438c12c SLING-6485 - IllegalArgumentException in SlingAuthenticator#sendSudoCookie
new 61b48ec [maven-release-plugin] prepare release org.apache.sling.auth.core-1.3.24
new 63246a1 [maven-release-plugin] prepare for next development iteration
new bfa9403 SLING-6053 - SlingAuthenticator identifies wrong sibling node with AuthenticationInfo
new 9d0e2b6 use Sling Parent 30
new adfa5f6 add missing Felix SCR annotations
new dda4f75 SLING-6053 - SlingAuthenticator identifies wrong sibling node with AuthenticationInfo
new 056019b SLING-6053 - SlingAuthenticator identifies wrong sibling node with AuthenticationInfo
new 9f87d78 SLING-6053 - SlingAuthenticator identifies wrong sibling node with AuthenticationInfo
new 55e266b SLING-6053 - SlingAuthenticator identifies wrong sibling node with AuthenticationInfo
new e3fc0e3 [maven-release-plugin] prepare release org.apache.sling.auth.core-1.3.26
new 944afe4 [maven-release-plugin] prepare for next development iteration
new 97814c4 SLING-6972 - Add a request attribute in the SlingAuthenticator containing the list of request URI suffixes handled by the default authenticator
new 39e200c SLING-6972 - Add a request attribute in the SlingAuthenticator containing the list of request URI suffixes handled by the default authenticator
new d2f122b SLING-6972 - Add a request attribute in the SlingAuthenticator containing the list of request URI suffixes handled by the default authenticator
new 3e9994c [maven-release-plugin] prepare release org.apache.sling.auth.core-1.4.0
new d5d97c8 [maven-release-plugin] prepare for next development iteration
new d3a162d SLING-6972 - Add a request attribute in the SlingAuthenticator containing the list of request URI suffixes handled by the default authenticator
new a8510eb SLING-7167 Adjust READMEs
The 220 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
--
To stop receiving notification emails like this one, please contact
['"commits@sling.apache.org" <co...@sling.apache.org>'].