incubator-sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [CONF] Apache Sling Website > Authentication
Date Fri, 08 Jan 2010 09:45:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=SLINGxSITE&amp;forWysiwyg=true"
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
     <h2><a href="">Authentication</a></h2>
     <h4>Page <b>edited</b> by             <a href="">Felix
     Rewrite to adapt to new Commons Auth bundle
          <div id="versionComment" class="noteMacro" style="display:none; padding: 5px;">
     Rewrite to adapt to new Commons Auth bundle<br />
     <div class="notificationGreySide">
         <h1><a name="Authentication-Authentication"></a>Authentication</h1>

    <li><a href='#Authentication-Tasks'>Tasks</a></li>
    <li><a href='#Authentication-ActorsintheTwoStepGame'>Actors in the Two Step
    <li><a href='#Authentication-OSGiHttpServiceSpecification'>OSGi Http Service
    <li><a href='#Authentication-SlingEngine'>Sling Engine</a></li>
    <li><a href='#Authentication-SlingCommonsAuth'>Sling Commons Auth</a></li>
    <li><a href='#Authentication-JCRRepository'>JCR Repository</a></li>
    <li><a href='#Authentication-GenericRequestProcessing'>Generic Request Processing</a></li>
    <li><a href='#Authentication-SlingAuthenticator'>SlingAuthenticator</a></li>
    <li><a href='#Authentication-AuthenticationSupportimplementation'>AuthenticationSupport
    <li><a href='#Authentication-Authenticatorimplementation'>Authenticator implementation</a></li>
    <li><a href='#Authentication-AuthenticationHandler'>AuthenticationHandler</a></li>
    <li><a href='#Authentication-Sampleimplementations'>Sample implementations</a></li>

<p>This page describes the framework provided by Sling to authenticate HTTP requests.<br/>
This page is about how requests are authenticated in Sling.</p>

<h2><a name="Authentication-Tasks"></a>Tasks</h2>

<p>Request Authentication in Sling takes two steps:</p>

<p><b>1. Extract credentials from the request</b></p>
	<li>Implemented and controlled by the Sling Commons Auth bundle</li>
	<li>Takes <tt>HttpServletRequest</tt></li>
	<li>Provides credentials for futher processing (basically JCR <tt>Credentials</tt>
and Workspace name)</li>
	<li>Extensible with the help of <tt>AuthenticationHandler</tt> services</li>

<p><b>2. Login to the JCR repository<style type='text/css'>
.FootnoteMarker, .FootnoteNum a {
  background: transparent url(/confluence/download/resources/com.adaptavist.confluence.footnoteMacros:footnote/gfx/footnote.png)
no-repeat top right;
  padding: 1px 2px 0px 1px;
  border-left: 1px solid #8898B8;
  border-bottom: 1px solid #6B7C9B;
  margin: 1px;
  text-decoration: none;
.FootnoteNum a {
  margin-top: 2px;
  margin-right: 0px;
.FootnoteNum {
  font-size: x-small;
  text-align: right;
  padding-bottom: 4px;
.footnote-th1 {
  text-align: right;
.Footnote {
  padding-left: 7px;
  margin-bottom: 4px;
  border: 1px none #DDDDDD;
  writingMode: tb-rl;
.accessibility {
     display: none;
     visibility: hidden;
@media aural,braille,embossed {
        .FootnoteMarker, .FootnoteNum a {
         border: 1px solid #000000;
         background: #ffffff none;
    .accessibility {
         display: run-in;
         visibility: visible;
<script type='text/javascript' language='JavaScript'>
var effectInProgress = {};
var despamEffect = function (id,effectType,duration) {
  if ((effectInProgress[id]) || (typeof(Effect)=="undefined") || (typeof(Effect[effectType])=="undefined"))
  new Effect[effectType](id);
var oldFootnoteId = '';
var footnoteHighlight = function(id,pulsateNum) {
  if (oldFootnoteId!='') document.getElementById('Footnote'+oldFootnoteId).style['borderStyle']
= 'none';
  oldFootnoteId = id;
  document.getElementById('Footnote'+id).style['borderStyle'] = 'solid';
  if (pulsateNum) despamEffect('FootnoteNum'+id,'Pulsate',3)
var footnoteMarkerHighlight = function(id) {
  if (oldFootnoteId!='') document.getElementById('Footnote'+oldFootnoteId).style['borderStyle']
= 'none';
  oldFootnoteId = '';

<sup id='FootnoteMarker1'>
    <a name='FootnoteMarker1'
        alt='Footnote: Click here to display the footnote'
        title='Footnote: Click here to display the footnote'
	<li>Implemented and controlled by the JCR Repository</li>
	<li>Takes JCR <tt>Credentials</tt> and Workspace name</li>
	<li>Provides a JCR <tt>Session</tt></li>
	<li>Implementation dependent process. Jackrabbit provides extensibility based on <tt>LoginModules</tt>;
Sling's Embedded Jackrabbit Repository bundle provides extensibility with <tt>LoginModulePlugin</tt>

<h2><a name="Authentication-ActorsintheTwoStepGame"></a>Actors in the Two
Step Game</h2>

<h3><a name="Authentication-OSGiHttpServiceSpecification"></a>OSGi Http
Service Specification</h3>

<p>The main support for authentication is defined by the OSGi Http Service specification.
This specification defines how an OSGi application can register servlets and resources to
build web applications. As part of the servlet and/or resource registration a <tt>HttpContext</tt>
may be provided, which allows for additional support.</p>

<p>The main method of interest to the authentication process is the <tt>handleSecurity</tt>
method. This is called by the OSGi Http Service implementation before the registered servlet
is called. Its intent is to authenticate the request and to provide authentication information
for the request object: the authentication type and the remote user name.</p>

<p>The Sling Commons Auth bundle provides the <tt>AuthenticationSupport</tt>
service which may be used to the implement the <tt>HttpContext.handleSecurity</tt>

<h3><a name="Authentication-SlingEngine"></a>Sling Engine</h3>

<p>The Sling Engine implements the main entry point into the Sling system by means of
the <tt>SlingMainServlet</tt>. This servlet is registered with the OSGi Http Service
and provides a custom <tt>HttpContext</tt> whose <tt>handleSecurity</tt>
method is implemented by the <tt>AuthenticationSupport</tt> service.</p>

<p>When the request hits the <tt>service</tt> method of the Sling Main Servlet,
the resource resolver provided by the <tt>AuthenticationSupport</tt> service is
extract from the request attributes and used as the resource resolver for the request.</p>

<p>Other than that the Sling Engine is not involved in the authentication process at

<h3><a name="Authentication-SlingCommonsAuth"></a>Sling Commons Auth</h3>

<p>The support for authenticating client requests is implemented in the Sling Commons
Auth bundle. As such this bundle provides three areas of support</p>

	<li><tt>AuthenticationHandler</tt> service interface. This is implemented
by services providing functionality to extract credentials from HTTP requests.</li>
	<li><tt>Authenticator</tt> service interface. This is implemented by the
<tt>SlingAuthenticator</tt> class in the Commons Auth bundle and provides applications
with entry points to login and logout.</li>
	<li><tt>AuthenticationSupport</tt> service interface. This is implemented
by the <tt>SlingAuthenticator</tt> class in the Commons Auth bundle and allows
applications registering with the OSGi HTTP Service to make use of the Sling authentication

<h3><a name="Authentication-JCRRepository"></a>JCR Repository</h3>

<p>The actual process of logging into the repository and provided a <tt>Session</tt>
is implementation dependent. In the case of Jackrabbit extensibility is provided by configuration
of the Jackrabbit repository by means of an interface and two helper classes:</p>

	<li><tt>LoginModule</tt> &#8211; The interface to be implemented to
provide login processing plugins</li>
	<li><tt>AbstractLoginModule</tt> &#8211; A an abstract base class implementation
of the <tt>LoginModule</tt> interface.</li>
	<li><tt>DefaultLoginModule</tt> &#8211; The default implementation
of the <tt>AbstractLoginModule</tt> provided by Jackabbit. This login module takes
<tt>SimpleCredentials</tt> and uses the repository to lookup the users, validate
the credentials and providing the <tt>Principal</tt> representing the user towards
the repository.</li>

<p>The Sling Jackrabbit Embedded Repository bundle provides additional plugin interfaces
to extend the login process dynamically using OSGi services. To this avail the bundle configures
a <tt>LoginModule</tt> with the provided default Jackrabbit configuration supporting
these plugins:</p>

	<li><tt>LoginModulePlugin</tt> &#8211; The main service interface.
Plugins must implement this interface to be able to extend the login process. See for example
the <a href=""
rel="nofollow">Sling OpenID authentication handler</a>, which implements this interface
to support OpenID authentication.</li>
	<li><tt>AuthenticationPlugin</tt> &#8211; Helper interface for the

<h4><a name="Authentication-SlingApplications"></a>Sling Applications</h4>

<p>Sling Applications requiring authenticed requests should not care about how authentication
is implemented. To support such functionality the <tt>Authenticator</tt> service
is provided with two methods:</p>

	<li><tt>login</tt> &#8211; allows the application to ensure requests
are authenticated. This involves selecting an <tt>AuthenticationHandler</tt> to
request credentials for authentication.</li>

	<li><tt>logout</tt> &#8211; allows the application to forget about
any authentication. This involves selecting an <tt>AuthenticationHandler</tt>
to forget about credentials in the request.</li>

<p>Sling Applications should never directly use any knowledge of any authentication
handler or directly call into an authentication handler. This will certainly break the application
and cause unexpected behaviour.</p>

<div class='panelMacro'><table class='infoMacro'><colgroup><col width='24'><col></colgroup><tr><td
valign='top'><img src="/confluence/images/icons/emoticons/information.gif" width="16"
height="16" align="absmiddle" alt="" border="0"></td><td><p>If you want
to know whether a request is authenticated or not, you can inspect the result of the <tt>HttpServletRequest.getAuthType</tt>
method: If this method returns <tt>null</tt> the request is not authenticated.</p></td></tr></table></div>

<h2><a name="Authentication-GenericRequestProcessing"></a>Generic Request

<p>This sounds all very nice, but how is this linked together ? Lets look at the processing
steps from the point a request is sent to a Sling system to the moment the request is finally
entering the <tt>SlingMainServlet.service</tt> method:</p>

<table class="sectionMacro" border="0" cellpadding="5" cellspacing="0" width="100%"><tbody><tr>
<td class="confluenceTd" valign="top">
<p><a class="confluence-thumbnail-link 602x622" href=''><img
src="/confluence/download/thumbnails/115813/authentication.png" align="absmiddle" border="0"
title="Request Processing " /></a></p></td>
<td class="confluenceTd" valign="top">
	<li>First the OSGi HTTP Service implementation is analyzing the request URL to find
a match for a servlet or resource registered with the HTTP Service.</li>
	<li>Now the HTTP Service implementation has to call the <tt>handleSecurity</tt>
method of the <tt>HttpContext</tt> object with which the servlet or resource has
been registered. This method returns <tt>true</tt> if the request should be serviced.
If this method returns <tt>false</tt> the HTTP Service implementation terminates
the request sending back any response which has been prepared by the <tt>handleSecurity</tt>
method. Note, that the <tt>handleSecurity</tt> method must prepare the failure
response sent to the client, the HTTP Service adds nothing here. If the <tt>handleSecurity</tt>
method is successful, it must add two (or three) request attributes described below.</li>
	<li>When the <tt>handleSecurity</tt> method returns <tt>true</tt>
the HTTP Service either calls the <tt>Servlet.service</tt> method or sends back
the requested resource depending on whether a servlet or a resource has been selected in the
first step.</li>

<p>The important thing to note here is, that at the time the <tt>handleSecurity</tt>
method is called, the <tt>SlingMainServlet</tt> is not yet in control of the request.
So any functionality added by the <tt>SlingMainServlet</tt>, notably the <tt>SlingHttpServletRequest</tt>
and <tt>SlingHttpServletResponse</tt> objects are not available to the implementation
of the <tt>handleSecurity</tt> method.</p>

<h2><a name="Authentication-SlingAuthenticator"></a>SlingAuthenticator</h2>

<p>The <tt>SlingAuthenticator</tt> class is an internal class of the <tt></tt>
bundle and implements the <tt>Authenticator</tt> and <tt>AuthenticationSupport</tt>

<h3><a name="Authentication-AuthenticationSupportimplementation"></a>AuthenticationSupport

	<li>The <tt>handleSecurity</tt> method selects an <tt>AuthenticationHandler</tt>
service appropriate for the request and calls the <tt>AuthenticationHandler.authenticate</tt>
method to extract the credentials from the request. If no credentials could be extracted,
the <tt>handleSecurity</tt> method can either admit the request as an anonymous
request or request authentication from the client by calling its own <tt>login</tt>

<p>The <tt>handleSecurity</tt> method is intended to be called to implement
the <tt>HttpContext.handleSecurity</tt> method.</p>

<p>The implementation follows this algorithm:</p>

	<li>Select one or more <tt>AuthenticationHandler</tt> for the request according
to the request URL's scheme and authorization part.</li>
	<li>Call the <tt>extractCredentials</tt> method of each authentication
handler, where the order of handler call is defined by the length of the registered path:
handlers registered with longer paths are called before handlers with shorter paths. The goal
is to call the handlers in order from longest request path match to shortest match. Handlers
not matching the request path at all are not called.</li>
	<li>The first handler returning a non-<tt>null</tt> <tt>AuthenticationInfo</tt>
result "wins" and the result is used for authentication.</li>
	<li>If no handler returns a non-<tt>null</tt> result, the request may be
handled anonymously.</li>
	<li>(Try to) log into the repository either with the provided credentials or anonymously.</li>
	<li>Set request attributes listed below.</li>

<p>Extracting the credentials and trying to login to the repository may yield the following

<table class='confluenceTable'><tbody>
<td class='confluenceTd'> Credentials </td>
<td class='confluenceTd'> Login </td>
<td class='confluenceTd'> Consequence </td>
<td class='confluenceTd'> present </td>
<td class='confluenceTd'> successfull </td>
<td class='confluenceTd'> Continue with an authenticated request </td>
<td class='confluenceTd'> present </td>
<td class='confluenceTd'> failed </td>
<td class='confluenceTd'> Select <tt>AuthenticationHandler</tt> and call
<tt>requestCredentials</tt> method </td>
<td class='confluenceTd'> missing </td>
<td class='confluenceTd'> anonymous allowed </td>
<td class='confluenceTd'> Continue with a non authenticated request using anonymous
access to the repository </td>
<td class='confluenceTd'> missing </td>
<td class='confluenceTd'> anonymous forbidden </td>
<td class='confluenceTd'> Select <tt>AuthenticationHandler</tt> and call
<tt>requestCredentials</tt> method </td>

<div class='panelMacro'><table class='noteMacro'><colgroup><col width='24'><col></colgroup><tr><td
valign='top'><img src="/confluence/images/icons/emoticons/warning.gif" width="16" height="16"
align="absmiddle" alt="" border="0"></td><td><p>Only one <tt>AuthenticationHandler</tt>
is able to provide credentials for a given request. If the credentials provided by the handler
cannot be used to login to the repository, authentication fails and no further <tt>AuthenticationHandler</tt>
is consulted.</p></td></tr></table></div>

<h4><a name="Authentication-RequestAttributesonSuccessfullLogin"></a>Request
Attributes on Successfull Login</h4>

<p>The <tt>handleSecurity</tt> method gets credentials from the <tt>AuthenticationHandler</tt>
and logs into the JCR repository using those credentials. If the login is successful, the
<tt>SlingAuthenticator</tt> sets the following request attributes:</p>

<table class='confluenceTable'><tbody>
<th class='confluenceTh'> Attribute </th>
<th class='confluenceTh'> Description </th>
<td class='confluenceTd'> <tt>org.osgi.service.http.authentication.remote.user</tt>
<td class='confluenceTd'> The user ID of the JCR Session. This attribute is used by
the HTTP Service implementation to implement the <tt>HttpServletRequest.getRemoteUser</tt>
method. </td>
<td class='confluenceTd'> <tt>org.osgi.service.http.authentication.type</tt>
<td class='confluenceTd'> The authentication type defined by the <tt>AuthenticationHandler</tt>.
This attribute is used by the HTTP Service implementation to implement the <tt>HttpServletRequest.getAuthType</tt>
method. </td>
<td class='confluenceTd'> <tt></tt>
<td class='confluenceTd'> The <tt>ResourceResolver</tt> created from the
credentials and the logged in JCR Session. This attribute may be used by servlets to access
the repository. Namely the <tt>SlingMainServlet</tt> uses this request attribute
to provide the <tt>ResourceResolver</tt> to handle the request. </td>
<td class='confluenceTd'> <tt>javax.jcr.Session</tt> </td>
<td class='confluenceTd'> The JCR Session. This attribute is from some level of backwards
compatibility. <b>Its use is deprecated and the attribute may be removed in future versions</b>.

<p><b>NOTE</b>: Do <em>NOT</em> use the <tt>javax.jcr.Session</tt>
request attribute in your Sling applications. This attribute must be considered an implementation
specific to convey the JCR Session to the <tt>SlingMainServlet</tt>. In future
versions of the Sling Commons Auth bundle, this request attribute may not be present anymore.
To get the JCR Session for the current request adapt the request's resource resolver to a
JCR Session:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
Session session = request.getResourceResolver().adaptTo(Session.class);

<h4><a name="Authentication-AnonymousLogin"></a>Anonymous Login</h4>

<p>The <tt>SlingAuthenticator</tt> provides high level of control with respect
to allowing anonymous requests or requiring authentication up front:</p>

	<li>Global setting of whether anonymous requests are allowed or not. This is the value
of the <em>Allow Anonymous Access</em> (<tt>auth.annonymous</tt>)
property of the <tt>SlingAuthenticator</tt> configuration. This property is supported
for backwards compatibility and defaults to <tt>true</tt> (allowing anonymous
	<li>Specific configuration per URL. The <em>Authentication Requirements</em>
(<tt>sling.auth.requirements</tt>) property of the <tt>SlingAuthenticator</tt>
configuration may provide a list of URLs for which authentication may be required or not:
Any entry prefixed with a dash <tt>-</tt> defines a subtree for which authentication
is not required. Any entry not prefixed with a dash or prefixed with a plus <tt>+</tt>
defines a subtree for which authentication is required up front and thus anonymous access
is not allowed. This list is empty by default.</li>
	<li>Any OSGi service may provide a <tt>sling.auth.requirements</tt> registration
property which is used to dynamically extend the authentication requirements from the <em>Authentication
Requirements</em> configuration. This may for example be set by <tt>AuthenticationHandler</tt>
implementations providing a login form to ensure access to the login form does not require
authentication. The value of this property is a single string, an array of strings or a Collection
of strings and is formatted in the same way as the <em>Authentication Requirements</em>
configuration property.</li>

<p>The URLs set on the <em>Authentication Requirements</em> configuration
property or the <tt>sling.auth.requirements</tt> service registration property
can be absolute paths or URLs like the <tt>path</tt> service registration property
of <tt>AuthenticationHandler</tt> services. This allows the limitation of this
setup to certain requests by scheme and/or virtual host address.</p>


	<li>The <tt>LoginServlet</tt> contained in the Commons Auth bundle registers
itself with the service registration property <tt>sling.auth.requirements = "-/system/sling/login"</tt>
to ensure the servlet can be accessed without requiring authentication.</li>

	<li>An authentication handler may register itself with the service registration property
<tt>sling.auth.requirements = "-/apps/sample/loginform"</tt> to ensure the login
form can be rendered without requiring authentication.</li>

<h3><a name="Authentication-Authenticatorimplementation"></a>Authenticator

<p>The implementation of the <tt>Authenticator</tt> interface is similar
for both methods:</p>


	<li>Select one or more <tt>AuthenticationHandler</tt> for the request according
to the request URL's scheme and authorization part.</li>
	<li>Call the <tt>requestCredentials</tt> method of each authentication
handler, where the order of handler call is defined by the length of the registered path:
handlers registered with longer paths are called before handlers with shorter paths. The goal
is to call the handlers in order from longest request path match to shortest match. Handlers
not matching the request path at all are not called.</li>
	<li>As soon as the first handlers returns <tt>true</tt>, the process ends
and it is assumed credentials have been requested from the client.</li>

<p>The <tt>login</tt> method has three possible exit states:</p>

<table class='confluenceTable'><tbody>
<th class='confluenceTh'> Exit State </th>
<th class='confluenceTh'> Description </th>
<td class='confluenceTd'> Normal </td>
<td class='confluenceTd'> An <tt>AuthenticationHandler</tt> could be selected
to which the login request could be forwarded. </td>
<td class='confluenceTd'> <tt>NoAuthenticationHandlerException</tt> </td>
<td class='confluenceTd'> No <tt>AuthenticationHandler</tt> could be selected
to forward the login request to. In this case, the caller can proceed as appropriate. For
example a servlet, which should just login a user may send back a 403/FORBIDDEN status because
login is not possible. Or a 404/NOT FOUND handler, which tried to login as a fallback, may
continue and send back the regular 404/NOT FOUND response. </td>
<td class='confluenceTd'> <tt>IllegalStateException</tt> </td>
<td class='confluenceTd'> The response has already been committed and the login request
cannot be processed. Normally to request login, the current response must be reset and a new
response has to be prepared. This is only possible if the request has not yet been committed.

	<li>Select one or more <tt>AuthenticationHandler</tt> for the request according
to the request URL's scheme and authorization part.</li>
	<li>Call the <tt>dropCredentials</tt> method of each authentication handler,
where the order of handler call is defined by the length of the registered path: handlers
registered with longer paths are called before handlers with shorter paths. The goal is to
call the handlers in order from longest request path match to shortest match. Handlers not
matching the request path at all are not called.</li>

<p>Unlike for the <tt>login</tt> method in the <tt>logout</tt>
method case all <tt>AuthenticationHandler</tt> services selected in the first
step are called. If none can be selected or none can actually handle the <tt>dropCredentials</tt>
request, the <tt>logout</tt> silently returns.</p>

<h2><a name="Authentication-AuthenticationHandler"></a>AuthenticationHandler</h2>

<p>The <tt>AuthenticationHandler</tt> interface defines the service API
which may be implemented by authentication handlers registered as OSGi services. The <tt>AuthenticationHandler</tt>
services have a single required service registration property which is used to identify requests
to which the <tt>AuthenticationHandler</tt> service is applicable:</p>

<table class='confluenceTable'><tbody>
<td class='confluenceTd'> <tt>path</tt> </td>
<td class='confluenceTd'> One or more (array or vector) string values indicating the
request URLs to which the <tt>AuthenticationHandler</tt> is applicable. </td>

<p>Each path may be an absolute URL, an URL with just the host/port and path or just
a plain absolute path:</p>

<table class='confluenceTable'><tbody>
<td class='confluenceTd'> URL part </td>
<td class='confluenceTd'> Scheme </td>
<td class='confluenceTd'> Host/Port </td>
<td class='confluenceTd'> Path </td>
<td class='confluenceTd'> Absolute URL </td>
<td class='confluenceTd'> must match </td>
<td class='confluenceTd'> must match </td>
<td class='confluenceTd'> request URL path is prefixed with the path </td>
<td class='confluenceTd'> Host/Port with Path </td>
<td class='confluenceTd'> ignored </td>
<td class='confluenceTd'> must match </td>
<td class='confluenceTd'> request URL path is prefixed with the path </td>
<td class='confluenceTd'> Path </td>
<td class='confluenceTd'> ignored </td>
<td class='confluenceTd'> ignored </td>
<td class='confluenceTd'> request URL path is prefixed with the path </td>

<p>When looking for an <tt>AuthenticationHandler</tt> the authentication
handler is selected whose path is the longest match on the request URL. If the service is
registered with Scheme and Host/Port, these must exactly match for the service to be eligible.</p>

<p>The value of <tt>path</tt> service registration property value triggering
the call to any of the <tt>AuthenticationHandler</tt> methods is available as
the <tt>path</tt> request attribute (for the time of the method call only). If
the service is registered with multiple path values, the value of the <tt>path</tt>
request attribute may be used to implement specific handling.</p>

<h3><a name="Authentication-Sampleimplementations"></a>Sample implementations</h3>

<h4><a name="Authentication-HTTPBasicAuthenticationHandler"></a>HTTP Basic
Authentication Handler</h4>

	<li><tt>extractCredentials</tt> &#8211; Get user name and password
from the <tt>Authorization</tt> HTTP header</li>
	<li><tt>requestCredentials</tt> &#8211; Send a 401/UNAUTHORIZED status
with <tt>WWW-Authenticate</tt> response header setting the Realm</li>
	<li><tt>dropCredentials</tt> &#8211; Send a 401/UNAUTHORIZED status
with <tt>WWW-Authenticate</tt> response header setting the Realm</li>

<p>Interestingly the <tt>dropCredentials</tt> method is implemented in the
same way as the <tt>requestCredentials</tt> method. The reason for this is, that
HTTP Basic authentication does not have a notion of login and logout. Rather the request is
accompanied with an <tt>Authorization</tt> header or not. The contents of this
header is usually cached by the client browser. So logout is actually simulated by sending
a 401/UNAUTHORIZED status thus causing the client browser to clear the cache and ask for user
name and password.</p>

<p>H4. Form Based Authentication Handler</p>

	<li><tt>extractCredentials</tt> &#8211; Get user name and password
with the help of a special cookie (note, that of course the cookie should not contain this
data, but refer to it in an internal store of the authentication handler). If the cookie is
not set, check for specific login parameters to setup the cookie.</li>
	<li><tt>requestCredentials</tt> &#8211; Send the login form for the
user to provide the login parameters.</li>
	<li><tt>dropCredentials</tt> &#8211; Clear the authentication cookie
and internal store.</li>

<p><table class='Footnotes' style='width: 100%; border:none;' cellspacing='0' cellpadding='0'
summary='This table contains one or more notes for references made elsewhere on the page.'>
  <caption class='accessibility'>Footnotes</caption>
  <thead class='accessibility'>
    <tr class='accessibility'>
      <th class='accessibility' id='footnote-th1'>Reference</th>
      <th class='accessibility' id='footnote-th2'>Notes</th>
    <tr name='Footnote1'>
      <td valign='top' class='FootnoteNum' headings='footnote-th1'>
        <a href='#FootnoteMarker1'
          alt='Footnote: Click to return to reference in text'
          title='Footnote: Click to return to reference in text'
      <td id='Footnote1'
          Currently the credentials are always verified by trying to login to the JCR repository.
Once an <a href=""
rel="nofollow">ResourceResolverFactory</a> API has been added, the process of logging
in is actualy replaced by a process of requesting a <tt>ResourceResolver</tt>
from the <tt>ResourceResolverFactory</tt>
     <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href=""
class="grey">Change Notification Preferences</a>

       <a href="">View
       <a href="">View
       <a href=";showCommentArea=true#addcomment">Add

View raw message