[jira] Commented: (SLING-608) Provide Authentication Control

["Rory Douglas (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SLING-608?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12622098#action_12622098 ] 

Rory Douglas commented on SLING-608:
------------------------------------

One way of improving the authentication aspect is to enable Jetty JAAS by adding the jetty-plus dependency, then configuring a <userRealm> in the launchpad/webapp pom.xml (in the configuration section of the maven-jetty-plugin).  You'll need to setup the usual J2EE security constraints in web.xml as well (possibly protecting the whole app).  The missing piece would be (I think) an implementation of AuthenticationHandler that just calls request.getRemoteUser(). I've gotten the first part of this to work using the basic PropertyFileLoginModule that comes with Jetty, though an LDAP or JDBC-based one would be more useful.

> Provide Authentication Control
> ------------------------------
>
>                 Key: SLING-608
>                 URL: https://issues.apache.org/jira/browse/SLING-608
>             Project: Sling
>          Issue Type: Improvement
>          Components: Documentation, JCR, Launchpad
>    Affects Versions: Launchpad Webapp 3
>            Reporter: Marvin Phelps
>
> Sling sits atop a content repository - so there should be better examples of how to post versions and list versions. (mix:versionable). I managed to find out how to do this using the Day notes application. Secondly, it's now apparent to me that the LaunchPad webapp is using Jackrabbit's SimpleLoginModule and by default it allows access for every user: even http://doodoo:poopoo@localhost:8888/ Sling needs to have some authentication strategy built-in. With this stuff provided in Launchpad, Sling would be more usable out of the box.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.