incubator-sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Sling > User Authentication
Date Sun, 14 Mar 2010 12:37:00 GMT
<html>
<head>
    <base href="http://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=SLING&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="http://cwiki.apache.org/confluence/display/SLING/User+Authentication">User
Authentication</a></h2>
    <h4>Page  <b>added</b> by             <a href="http://cwiki.apache.org/confluence/display/~fmeschbe">Felix
Meschberger</a>
    </h4>
         <br/>
    <div class="notificationGreySide">
         <h1><a name="UserAuthentication-UserAuthentication"></a>User Authentication</h1>



<p>Status: DRAFT <br/>
Created: 14. March 2010<br/>
Author: fmeschbe <br/>
JIRA: &#8211; <br/>
References: <a href="http://markmail.org/message/xmgenhm3rvualvyq" rel="nofollow">Merging
Sling API and Commons Auth API</a><br/>
Update: &#8211; </p>

<div>
<ul>
    <li><a href='#UserAuthentication-Introduction'>Introduction</a></li>
    <li><a href='#UserAuthentication-Proposal'>Proposal</a></li>
    <li><a href='#UserAuthentication-Issues'>Issues</a></li>
</ul></div> 

<h2><a name="UserAuthentication-Introduction"></a>Introduction </h2>

<p>With the recent introduction of the Commons Auth Bundle and the current approach
to break apart the dependency on JCR API from the Commons Auth Bundle we are faced with an
issue of how to authenticate an HTTP request user while at the same time not binding the authentication
mechanism to any data repository.</p>

<p>In other words we have the following requirements:</p>

<ol>
	<li>Extract user authentication information from HTTP requests and assert the identity
of the requesting entity (remote user or application)</li>
	<li>Setup a connection to data repository on behalf of the authenticated user</li>
</ol>


<p>Currently the Commons Auth bundle controls the complete process of extracting authentication
information, asserting the identity and connecting to the repository:</p>

<ol>
	<li>Authentication information extraction using <tt>AuthenticationHandler</tt>
services</li>
	<li>Asserting identity by using the authentication information to login to the JCR
Repository resulting in a JCR Session.</li>
	<li>Connecting to the data repository by using the <tt>JcrResourceResolverFactory</tt>
to create a <tt>ResourceResolver</tt> on top of the JCR Session.</li>
</ol>


<p>The problem here is, that the Commons Auth bundle is tied into using the JCR Repository
to assert identities and into the <tt>JcrResourceResolverFactory</tt> to connect
to the data repository.</p>

<p>These dependencies are not entirely optimal. So a first improvement might be for
the Commons Auth bundle to validate any authentication and pass the validated authentication
info on the ot Commons Auth client which then uses this data to create the connection:</p>

<ol>
	<li>Commons Auth extracts authentication information using <tt>AuthenticationHandler</tt>
services</li>
	<li>Commons Auth asserts the identity using the authentication information to login
to the JCR Repository</li>
	<li>Commons Auth returns the asserted authentication information to (say) the Sling
Main Servlet which uses the <tt>ResourceResolverFactory</tt> to connect to the
repository and return a <tt>ResourceResolver</tt></li>
</ol>


<p>The drawback here is, that (a) Commons Auth is stilled tied into the JCR API and
(b) JCR Sessions are created twice thus creating quite a considerable overhead.</p>


<h2><a name="UserAuthentication-Proposal"></a>Proposal</h2>

<p>A new service API is defined supporting the validation of credentials:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<span class="code-keyword">public</span> <span class="code-keyword">interface</span>
CredentialValidator {

    /** 
     * Validates the credentials and returns an AuthenticationInfo
     * object representing the validated credentials.
     * The implementation may <span class="code-keyword">return</span> a <span
class="code-keyword">new</span> object or the same as
     * passed as a parameter. If a <span class="code-keyword">new</span> object
is returned the
     * implementation may copy some or all properties from the
     * passed in object.
     * The passed in AuthenticationInfo object should be considered
     * immutable by the implementation.
     * @param credentials The AuthenticationInfo representing the
     *      credentials provided by the user in the HTTP request.
     * @<span class="code-keyword">return</span> An AuthenticationInfo object
representing the
     *      validated credentials.
     * @<span class="code-keyword">throws</span> LoginException <span class="code-keyword">if</span>
the passed credentials cannot
     *      be validated.
     * @<span class="code-keyword">throws</span> NullPointerException <span
class="code-keyword">if</span> credentials is <span class="code-keyword">null</span>
     */
    <span class="code-keyword">public</span> AuthenticationInfo validate(AuthenticationInfo
credentials) <span class="code-keyword">throws</span> LoginException;

}
</pre>
</div></div>

<p>The <tt>SlingAuthenticator</tt> class makes use of the <tt>CredentialValidator</tt>
service to validate the credentials extracted by <tt>AuthenticationHandler</tt>
services. The returned AuthenticationInfo is then set as a request attribute.</p>

<p>The <tt>CredentialValidator</tt> interface is implemented and registered
as a service by the JCR based <tt>ResourceResolverFactory</tt> implementation.
The implementation of the method uses the credentials to authenticate with the JCR repository
and returns an AuthenticationInfo object copied from the original object without the password
but containing the JCR Session.</p>

<p>The <tt>SlingMainServlet</tt> gets the <tt>AuthenticationInfo</tt>
object from the request attribute and passes it (as a <tt>Map</tt>) to the <tt>ResourceResolverFactory.getResourceResolver(Map)</tt>
method to get the <tt>ResourceResolver</tt> for the request.</p>

<p>The JCR based <tt>ResourceResolverFactory.getResourceResolver(Map)</tt>
knows about the <tt>CredentialValidator</tt> implementation and can make use of
the <tt>Session</tt> object in the map to reuse the existing session.</p>

<h2><a name="UserAuthentication-Issues"></a>Issues</h2>

<p>The JCR based <tt>CredentialValidator</tt> implementation creates a session,
which may or may not be used and closed by users of the Sling Commons Auth <tt>AuthenticationSupport</tt>
service. A mechanism must be implemented to ensure Sessions placed into the <tt>AuthenticationInfo</tt>
by <tt>CredentialValidator</tt> implementations are not left open and thus needlessly
consume system resources.</p>
    </div>
    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>
       <a href="http://cwiki.apache.org/confluence/display/SLING/User+Authentication">View
Online</a>
              |
       <a href="http://cwiki.apache.org/confluence/display/SLING/User+Authentication?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
           </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message