Re: Unified authentication/authorization in Sling? [WAS: Preventing Listing of child nodes of a resource.]

[Justin Edelson <ju...@gmail.com>]

On 7/7/10 9:21 AM, Vidar Ramdal wrote:
> On Thu, Jul 1, 2010 at 1:52 PM, Ian Boston <ie...@tfd.co.uk> wrote:
>> Hi,
>> I want to be able to stop the listing of all child nodes at specific urls, but still allow direct access to items in a subtree.
> 
> Not really related to Ian's post at all, but it got me thinking: Sling
> currently implements a way authenticating to a JCR repository via
> HTTP, and lets JCR handle authorization.
> But how about resources from other sources, like file system folders,
> databases etc?
> 
> Should we start thinking about a common interface for
> authorization/authentication for an arbitrary resource, not just JCR
> resources?
> The ResourceProvider interface has a getResource(ResourceResolver,
> HttpServletRequest, String) method, so I guess implementors could
> handle authentication and access control there. But it seems it would
> be nice if authentication/authorization stuff was done centrally.
> 
> WDYT?
> 
For better or worse, authentication is *already* centralized in the
sense that it is done via the ResourceResolverFactory. ResourceProviders
can access the authenticated userID via ResourceResolver.getUserID().

Authentication is trickier. What would probably be the most effective is
if we implemented UserAdmin on top of the UserManager. If done in a
read-only fashion, this probably wouldn't be that complex. That would
get you reasonably easy access to user roles.

The last step would be mapping user roles to privileges on non-JCR
resource paths. This is probably trickier to standardize a content model
for but could be decoupled from the UserAdmin step above.

Justin