incubator-sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Sling Website > Authentication - AuthenticationHandler
Date Mon, 01 Feb 2010 11:43:00 GMT
<html>
<head>
    <base href="http://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=SLINGxSITE&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="http://cwiki.apache.org/confluence/display/SLINGxSITE/Authentication+-+AuthenticationHandler">Authentication
- AuthenticationHandler</a></h2>
    <h4>Page  <b>added</b> by             <a href="http://cwiki.apache.org/confluence/display/~fmeschbe">Felix
Meschberger</a>
    </h4>
         <br/>
    <div class="notificationGreySide">
         <h1><a name="Authentication-AuthenticationHandler-AuthenticationHandler"></a>AuthenticationHandler</h1>

<p>The <tt>AuthenticationHandler</tt> interface defines the service API
which may be implemented by authentication handlers registered as OSGi services. The <tt>AuthenticationHandler</tt>
services have a single required service registration property which is used to identify requests
to which the <tt>AuthenticationHandler</tt> service is applicable:</p>

<table class='confluenceTable'><tbody>
<tr>
<td class='confluenceTd'> <tt>path</tt> </td>
<td class='confluenceTd'> One or more (array or vector) string values indicating the
request URLs to which the <tt>AuthenticationHandler</tt> is applicable. </td>
</tr>
</tbody></table>

<p>Each path may be an absolute URL, an URL with just the host/port and path or just
a plain absolute path:</p>

<table class='confluenceTable'><tbody>
<tr>
<td class='confluenceTd'> URL part </td>
<td class='confluenceTd'> Scheme </td>
<td class='confluenceTd'> Host/Port </td>
<td class='confluenceTd'> Path </td>
</tr>
<tr>
<td class='confluenceTd'> Absolute URL </td>
<td class='confluenceTd'> must match </td>
<td class='confluenceTd'> must match </td>
<td class='confluenceTd'> request URL path is prefixed with the path </td>
</tr>
<tr>
<td class='confluenceTd'> Host/Port with Path </td>
<td class='confluenceTd'> ignored </td>
<td class='confluenceTd'> must match </td>
<td class='confluenceTd'> request URL path is prefixed with the path </td>
</tr>
<tr>
<td class='confluenceTd'> Path </td>
<td class='confluenceTd'> ignored </td>
<td class='confluenceTd'> ignored </td>
<td class='confluenceTd'> request URL path is prefixed with the path </td>
</tr>
</tbody></table>

<p>When looking for an <tt>AuthenticationHandler</tt> the authentication
handler is selected whose path is the longest match on the request URL. If the service is
registered with Scheme and Host/Port, these must exactly match for the service to be eligible.</p>

<p>The value of <tt>path</tt> service registration property value triggering
the call to any of the <tt>AuthenticationHandler</tt> methods is available as
the <tt>path</tt> request attribute (for the time of the method call only). If
the service is registered with multiple path values, the value of the <tt>path</tt>
request attribute may be used to implement specific handling.</p>


<h3><a name="Authentication-AuthenticationHandler-Sampleimplementations"></a>Sample
implementations</h3>


<h4><a name="Authentication-AuthenticationHandler-HTTPBasicAuthenticationHandler"></a>HTTP
Basic Authentication Handler</h4>

<ul>
	<li><tt>extractCredentials</tt> &#8211; Get user name and password
from the <tt>Authorization</tt> HTTP header</li>
	<li><tt>requestCredentials</tt> &#8211; Send a 401/UNAUTHORIZED status
with <tt>WWW-Authenticate</tt> response header setting the Realm</li>
	<li><tt>dropCredentials</tt> &#8211; Send a 401/UNAUTHORIZED status
with <tt>WWW-Authenticate</tt> response header setting the Realm</li>
</ul>


<p>Interestingly the <tt>dropCredentials</tt> method is implemented in the
same way as the <tt>requestCredentials</tt> method. The reason for this is, that
HTTP Basic authentication does not have a notion of login and logout. Rather the request is
accompanied with an <tt>Authorization</tt> header or not. The contents of this
header is usually cached by the client browser. So logout is actually simulated by sending
a 401/UNAUTHORIZED status thus causing the client browser to clear the cache and ask for user
name and password.</p>


<p>H4. Form Based Authentication Handler</p>


<ul>
	<li><tt>extractCredentials</tt> &#8211; Get user name and password
with the help of a special cookie (note, that of course the cookie should not contain this
data, but refer to it in an internal store of the authentication handler). If the cookie is
not set, check for specific login parameters to setup the cookie.</li>
	<li><tt>requestCredentials</tt> &#8211; Send the login form for the
user to provide the login parameters.</li>
	<li><tt>dropCredentials</tt> &#8211; Clear the authentication cookie
and internal store.</li>
</ul>

    </div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="http://cwiki.apache.org/confluence/display/SLINGxSITE/Authentication+-+AuthenticationHandler">View
Online</a>
              |
       <a href="http://cwiki.apache.org/confluence/display/SLINGxSITE/Authentication+-+AuthenticationHandler?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
           </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message