incubator-sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [CONF] Apache Sling Website > Authentication - Actors
Date Mon, 01 Feb 2010 11:31:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=SLINGxSITE&amp;forWysiwyg=true"
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="">Authentication
- Actors</a></h2>
    <h4>Page  <b>added</b> by             <a href="">Felix
    <div class="notificationGreySide">
         <h1><a name="Authentication-Actors-Actors"></a>Actors</h1>

<p>The authentication process involves a number of actors contributing to the concepts,
the API and the particular implementations.</p>

<h2><a name="Authentication-Actors-OSGiHttpServiceSpecification"></a>OSGi
Http Service Specification</h2>

<p>The main support for authentication is defined by the OSGi Http Service specification.
This specification defines how an OSGi application can register servlets and resources to
build web applications. As part of the servlet and/or resource registration a <tt>HttpContext</tt>
may be provided, which allows for additional support.</p>

<p>The main method of interest to the authentication process is the <tt>handleSecurity</tt>
method. This is called by the OSGi Http Service implementation before the registered servlet
is called. Its intent is to authenticate the request and to provide authentication information
for the request object: the authentication type and the remote user name.</p>

<p>The Sling Commons Auth bundle provides the <tt>AuthenticationSupport</tt>
service which may be used to the implement the <tt>HttpContext.handleSecurity</tt>

<h2><a name="Authentication-Actors-SlingEngine"></a>Sling Engine</h2>

<p>The Sling Engine implements the main entry point into the Sling system by means of
the <tt>SlingMainServlet</tt>. This servlet is registered with the OSGi Http Service
and provides a custom <tt>HttpContext</tt> whose <tt>handleSecurity</tt>
method is implemented by the <tt>AuthenticationSupport</tt> service.</p>

<p>When the request hits the <tt>service</tt> method of the Sling Main Servlet,
the resource resolver provided by the <tt>AuthenticationSupport</tt> service is
extract from the request attributes and used as the resource resolver for the request.</p>

<p>That's all there is for the Sling Engine to do with respect to authentication.</p>

<h2><a name="Authentication-Actors-SlingCommonsAuth"></a>Sling Commons Auth</h2>

<p>The support for authenticating client requests is implemented in the Sling Commons
Auth bundle. As such this bundle provides three areas of support</p>

	<li><tt>AuthenticationHandler</tt> service interface. This is implemented
by services providing functionality to extract credentials from HTTP requests.</li>
	<li><tt>Authenticator</tt> service interface. This is implemented by the
<tt>SlingAuthenticator</tt> class in the Commons Auth bundle and provides applications
with entry points to login and logout.</li>
	<li><tt>AuthenticationSupport</tt> service interface. This is implemented
by the <tt>SlingAuthenticator</tt> class in the Commons Auth bundle and allows
applications registering with the OSGi HTTP Service to make use of the Sling authentication

<h2><a name="Authentication-Actors-JCRRepository"></a>JCR Repository</h2>

<p>The actual process of logging into the repository and provided a <tt>Session</tt>
is implementation dependent. In the case of Jackrabbit extensibility is provided by configuration
of the Jackrabbit repository by means of an interface and two helper classes:</p>

	<li><tt>LoginModule</tt> &#8211; The interface to be implemented to
provide login processing plugins</li>
	<li><tt>AbstractLoginModule</tt> &#8211; A an abstract base class implementation
of the <tt>LoginModule</tt> interface.</li>
	<li><tt>DefaultLoginModule</tt> &#8211; The default implementation
of the <tt>AbstractLoginModule</tt> provided by Jackabbit. This login module takes
<tt>SimpleCredentials</tt> and uses the repository to lookup the users, validate
the credentials and providing the <tt>Principal</tt> representing the user towards
the repository.</li>

<p>The Sling Jackrabbit Embedded Repository bundle provides additional plugin interfaces
to extend the login process dynamically using OSGi services. To this avail the bundle configures
a <tt>LoginModule</tt> with the provided default Jackrabbit configuration supporting
these plugins:</p>

	<li><tt>LoginModulePlugin</tt> &#8211; The main service interface.
Plugins must implement this interface to be able to extend the login process. See for example
the <a href=""
rel="nofollow">Sling OpenID authentication handler</a>, which implements this interface
to support OpenID authentication.</li>
	<li><tt>AuthenticationPlugin</tt> &#8211; Helper interface for the

<h2><a name="Authentication-Actors-SlingApplications"></a>Sling Applications</h2>

<p>Sling Applications requiring authenticed requests should not care about how authentication
is implemented. To support such functionality the <tt>Authenticator</tt> service
is provided with two methods:</p>

	<li><tt>login</tt> &#8211; allows the application to ensure requests
are authenticated. This involves selecting an <tt>AuthenticationHandler</tt> to
request credentials for authentication.</li>

	<li><tt>logout</tt> &#8211; allows the application to forget about
any authentication. This involves selecting an <tt>AuthenticationHandler</tt>
to forget about credentials in the request.</li>

<p>Sling Applications should never directly use any knowledge of any authentication
handler or directly call into an authentication handler. This will certainly break the application
and cause unexpected behaviour.</p>

<div class='panelMacro'><table class='infoMacro'><colgroup><col width='24'><col></colgroup><tr><td
valign='top'><img src="/confluence/images/icons/emoticons/information.gif" width="16"
height="16" align="absmiddle" alt="" border="0"></td><td><p>If you want
to know whether a request is authenticated or not, you can inspect the result of the <tt>HttpServletRequest.getAuthType</tt>
method: If this method returns <tt>null</tt> the request is not authenticated.</p></td></tr></table></div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href=""
class="grey">Change Notification Preferences</a>
       <a href="">View
       <a href=";showCommentArea=true#addcomment">Add

View raw message