incubator-sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [CONF] Apache Sling Website > Authentication - AuthenticationHandler
Date Thu, 11 Feb 2010 11:34:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=SLINGxSITE&amp;forWysiwyg=true"
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
     <h2><a href="">Authentication
- AuthenticationHandler</a></h2>
     <h4>Page <b>edited</b> by             <a href="">Felix
     clarify about using service ranking (as of SLING-1368)
          <div id="versionComment" class="noteMacro" style="display:none; padding: 5px;">
     clarify about using service ranking (as of SLING-1368)<br />
     <div class="notificationGreySide">
         <h1><a name="Authentication-AuthenticationHandler-AuthenticationHandler"></a>AuthenticationHandler</h1>

<p>The <tt>AuthenticationHandler</tt> interface defines the service API
which may be implemented by authentication handlers registered as OSGi services.</p>

<p><tt>AuthenticationHandler</tt> services have a single required service
registration property which is used to identify requests to which the <tt>AuthenticationHandler</tt>
service is applicable:</p>

<table class='confluenceTable'><tbody>
<td class='confluenceTd'> <tt>path</tt> </td>
<td class='confluenceTd'> One or more (array or vector) string values indicating the
request URLs to which the <tt>AuthenticationHandler</tt> is applicable. </td>

<p>Each path may be an absolute URL, an URL with just the host/port and path or just
a plain absolute path:</p>

<table class='confluenceTable'><tbody>
<td class='confluenceTd'> URL part </td>
<td class='confluenceTd'> Scheme </td>
<td class='confluenceTd'> Host/Port </td>
<td class='confluenceTd'> Path </td>
<td class='confluenceTd'> Absolute URL </td>
<td class='confluenceTd'> must match </td>
<td class='confluenceTd'> must match </td>
<td class='confluenceTd'> request URL path is prefixed with the path </td>
<td class='confluenceTd'> Host/Port with Path </td>
<td class='confluenceTd'> ignored </td>
<td class='confluenceTd'> must match </td>
<td class='confluenceTd'> request URL path is prefixed with the path </td>
<td class='confluenceTd'> Path </td>
<td class='confluenceTd'> ignored </td>
<td class='confluenceTd'> ignored </td>
<td class='confluenceTd'> request URL path is prefixed with the path </td>

<p>When looking for an <tt>AuthenticationHandler</tt> the authentication
handler is selected whose path is the longest match on the request URL. If the service is
registered with Scheme and Host/Port, these must exactly match for the service to be eligible.
If multiple <tt>AuthenticationHandler</tt> services are registered with the same
length matching path, the handler with the higher service ranking is selected<style type='text/css'>
.FootnoteMarker, .FootnoteNum a {
  background: transparent url(/confluence/download/resources/com.adaptavist.confluence.footnoteMacros:footnote/gfx/footnote.png)
no-repeat top right;
  padding: 1px 2px 0px 1px;
  border-left: 1px solid #8898B8;
  border-bottom: 1px solid #6B7C9B;
  margin: 1px;
  text-decoration: none;
.FootnoteNum a {
  margin-top: 2px;
  margin-right: 0px;
.FootnoteNum {
  font-size: x-small;
  text-align: right;
  padding-bottom: 4px;
.footnote-th1 {
  text-align: right;
.Footnote {
  padding-left: 7px;
  margin-bottom: 4px;
  border: 1px none #DDDDDD;
  writingMode: tb-rl;
.accessibility {
     display: none;
     visibility: hidden;
@media aural,braille,embossed {
        .FootnoteMarker, .FootnoteNum a {
         border: 1px solid #000000;
         background: #ffffff none;
    .accessibility {
         display: run-in;
         visibility: visible;
<script type='text/javascript' language='JavaScript'>
var effectInProgress = {};
var despamEffect = function (id,effectType,duration) {
  if ((effectInProgress[id]) || (typeof(Effect)=="undefined") || (typeof(Effect[effectType])=="undefined"))
  new Effect[effectType](id);
var oldFootnoteId = '';
var footnoteHighlight = function(id,pulsateNum) {
  if (oldFootnoteId!='') document.getElementById('Footnote'+oldFootnoteId).style['borderStyle']
= 'none';
  oldFootnoteId = id;
  document.getElementById('Footnote'+id).style['borderStyle'] = 'solid';
  if (pulsateNum) despamEffect('FootnoteNum'+id,'Pulsate',3)
var footnoteMarkerHighlight = function(id) {
  if (oldFootnoteId!='') document.getElementById('Footnote'+oldFootnoteId).style['borderStyle']
= 'none';
  oldFootnoteId = '';

<sup id='FootnoteMarker1'>
    <a name='FootnoteMarker1'
        alt='Footnote: Click here to display the footnote'
        title='Footnote: Click here to display the footnote'

<p>The value of <tt>path</tt> service registration property value triggering
the call to any of the <tt>AuthenticationHandler</tt> methods is available as
the <tt>path</tt> request attribute (for the time of the method call only). If
the service is registered with multiple path values, the value of the <tt>path</tt>
request attribute may be used to implement specific handling.</p>

<h3><a name="Authentication-AuthenticationHandler-ImplementationsprovidedbySling"></a>Implementations
provided by Sling</h3>

	<li><a href="/confluence/display/SLINGxSITE/Form+Based+AuthenticationHandler" title="Form
Based AuthenticationHandler">Form Based AuthenticationHandler</a></li>
	<li><a href="/confluence/display/SLINGxSITE/OpenID+AuthenticationHandler" title="OpenID
AuthenticationHandler">OpenID AuthenticationHandler</a></li>

<h3><a name="Authentication-AuthenticationHandler-Sampleimplementations"></a>Sample

<h4><a name="Authentication-AuthenticationHandler-HTTPBasicAuthenticationHandler"></a>HTTP
Basic Authentication Handler</h4>

	<li><tt>extractCredentials</tt> &#8211; Get user name and password
from the <tt>Authorization</tt> HTTP header</li>
	<li><tt>requestCredentials</tt> &#8211; Send a 401/UNAUTHORIZED status
with <tt>WWW-Authenticate</tt> response header setting the Realm</li>
	<li><tt>dropCredentials</tt> &#8211; Send a 401/UNAUTHORIZED status
with <tt>WWW-Authenticate</tt> response header setting the Realm</li>

<p>Interestingly the <tt>dropCredentials</tt> method is implemented in the
same way as the <tt>requestCredentials</tt> method. The reason for this is, that
HTTP Basic authentication does not have a notion of login and logout. Rather the request is
accompanied with an <tt>Authorization</tt> header or not. The contents of this
header is usually cached by the client browser. So logout is actually simulated by sending
a 401/UNAUTHORIZED status thus causing the client browser to clear the cache and ask for user
name and password.</p>

<h4><a name="Authentication-AuthenticationHandler-FormBasedAuthenticationHandler"></a>Form
Based Authentication Handler</h4>

	<li><tt>extractCredentials</tt> &#8211; Get user name and password
with the help of a special cookie (note, that of course the cookie should not contain this
data, but refer to it in an internal store of the authentication handler). If the cookie is
not set, check for specific login parameters to setup the cookie.</li>
	<li><tt>requestCredentials</tt> &#8211; Send the login form for the
user to provide the login parameters.</li>
	<li><tt>dropCredentials</tt> &#8211; Clear the authentication cookie
and internal store.</li>

<p><table class='Footnotes' style='width: 100%; border:none;' cellspacing='0' cellpadding='0'
summary='This table contains one or more notes for references made elsewhere on the page.'>
  <caption class='accessibility'>Footnotes</caption>
  <thead class='accessibility'>
    <tr class='accessibility'>
      <th class='accessibility' id='footnote-th1'>Reference</th>
      <th class='accessibility' id='footnote-th2'>Notes</th>
    <tr name='Footnote1'>
      <td valign='top' class='FootnoteNum' headings='footnote-th1'>
        <a href='#FootnoteMarker1'
          alt='Footnote: Click to return to reference in text'
          title='Footnote: Click to return to reference in text'
      <td id='Footnote1'
          Service ranking is defined by the OSGi Core Specification as follows: <em>If
multiple qualifying service interfaces exist, a service with the highest <tt>service.ranking</tt>
number, or when equal to the lowest <tt></tt>, determines which service
object is returned by the Framework</em>.
</table> </p>
     <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href=""
class="grey">Change Notification Preferences</a>

       <a href="">View
       <a href="">View
       <a href=";showCommentArea=true#addcomment">Add

View raw message