incubator-sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Felix Meschberger (Confluence)" <>
Subject [CONF] Apache Sling > User Authentication
Date Fri, 27 Sep 2013 09:51:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/en/2176/1/1/_/styles/combined.css?spaceKey=SLING&amp;forWysiwyg=true"
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="">User
    <h4>Page <b>edited</b> by             <a href="">Felix
                         <h4>Changes (5)</h4>
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >{excerpt:hidden=true}Separating authentication
from ResourceResolver access (ammending [Add ResourceResolverFactory Service Interface]) (DRAFT){excerpt}
 <br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">Status:
DRAFT  <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">Status:
NOT IMPLEMENTED  <br></td></tr>
            <tr><td class="diff-unchanged" >Created: 14. March 2010 <br>Author:
fmeschbe  <br>JIRA: --  <br>References: [Merging Sling API and Commons Auth API|]
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">Update:
--  <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">Update:
fmeschbe/27. September 2013 <br></td></tr>
            <tr><td class="diff-unchanged" > <br>{toc:minLevel=2}  <br>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">h2.
Update <br> <br>This concept is not being implemented because in the meantime
{{ResourceProviderFactory}} services have been introduced which can be flagged as being mandatory
and thus validate credentials from authentication handlers. One such implementation is the
JCR Resource Provider which does exactly that and internally validates the credentials by
create a JCR Session. <br> <br> <br></td></tr>
            <tr><td class="diff-unchanged" >h2. Introduction  <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="UserAuthentication-UserAuthentication"></a>User Authentication</h1>

<p>Status: NOT IMPLEMENTED <br/>
Created: 14. March 2010<br/>
Author: fmeschbe <br/>
JIRA: &#8211; <br/>
References: <a href="" class="external-link"
rel="nofollow">Merging Sling API and Commons Auth API</a><br/>
Update: fmeschbe/27. September 2013</p>

    <li><a href='#UserAuthentication-Update'>Update</a></li>
    <li><a href='#UserAuthentication-Introduction'>Introduction</a></li>
    <li><a href='#UserAuthentication-Proposal'>Proposal</a></li>
    <li><a href='#UserAuthentication-CompleteStepsAuthenticatingHTTPRequests'>Complete
Steps Authenticating HTTP Requests</a></li>
    <li><a href='#UserAuthentication-Issues'>Issues</a></li>

<h2><a name="UserAuthentication-Update"></a>Update</h2>

<p>This concept is not being implemented because in the meantime <tt>ResourceProviderFactory</tt>
services have been introduced which can be flagged as being mandatory and thus validate credentials
from authentication handlers. One such implementation is the JCR Resource Provider which does
exactly that and internally validates the credentials by create a JCR Session.</p>

<h2><a name="UserAuthentication-Introduction"></a>Introduction </h2>

<p>With the recent introduction of the Commons Auth Bundle and the current approach
to break apart the dependency on JCR API from the Commons Auth Bundle we are faced with an
issue of how to authenticate an HTTP request user while at the same time not binding the authentication
mechanism to any data repository.</p>

<p>In other words we have the following requirements:</p>

	<li>Extract user authentication information from HTTP requests and assert the identity
of the requesting entity (remote user or application)</li>
	<li>Setup a connection to data repository on behalf of the authenticated user</li>

<p>Currently the Commons Auth bundle controls the complete process of extracting authentication
information, asserting the identity and connecting to the repository:</p>

	<li>Authentication information extraction using <tt>AuthenticationHandler</tt>
	<li>Asserting identity by using the authentication information to login to the JCR
Repository resulting in a JCR Session.</li>
	<li>Connecting to the data repository by using the <tt>JcrResourceResolverFactory</tt>
to create a <tt>ResourceResolver</tt> on top of the JCR Session.</li>

<p>The problem here is, that the Commons Auth bundle is tied into using the JCR Repository
to assert identities and into the <tt>JcrResourceResolverFactory</tt> to connect
to the data repository.</p>

<p>These dependencies are not entirely optimal. So a first improvement might be for
the Commons Auth bundle to validate any authentication and pass the validated authentication
info on the ot Commons Auth client which then uses this data to create the connection:</p>

	<li>Commons Auth extracts authentication information using <tt>AuthenticationHandler</tt>
	<li>Commons Auth asserts the identity using the authentication information to login
to the JCR Repository</li>
	<li>Commons Auth returns the asserted authentication information to (say) the Sling
Main Servlet which uses the <tt>ResourceResolverFactory</tt> to connect to the
repository and return a <tt>ResourceResolver</tt></li>

<p>The drawback here is, that (a) Commons Auth is stilled tied into the JCR API and
(b) JCR Sessions are created twice thus creating quite a considerable overhead.</p>

<h2><a name="UserAuthentication-Proposal"></a>Proposal</h2>

<p>A new service API is defined supporting the validation of credentials:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Default; brush: java; gutter: false" style="font-size:12px; font-family:
public interface CredentialValidator {

     * Validates the credentials and returns an AuthenticationInfo
     * object representing the validated credentials.
     * The implementation may return a new object or the same as
     * passed as a parameter. If a new object is returned the
     * implementation may copy some or all properties from the
     * passed in object.
     * The passed in AuthenticationInfo object should be considered
     * immutable by the implementation.
     * @param credentials The AuthenticationInfo representing the
     *      credentials provided by the user in the HTTP request.
     * @return An AuthenticationInfo object representing the
     *      validated credentials.
     * @throws LoginException if the passed credentials cannot
     *      be validated.
     * @throws NullPointerException if credentials is null
    public AuthenticationInfo validate(AuthenticationInfo credentials) throws LoginException;


<p>The <tt>SlingAuthenticator</tt> class makes use of the <tt>CredentialValidator</tt>
service to validate the credentials extracted by <tt>AuthenticationHandler</tt>
services. The returned AuthenticationInfo is then set as a request attribute.</p>

<p>The <tt>CredentialValidator</tt> interface is implemented and registered
as a service by the JCR based <tt>ResourceResolverFactory</tt> implementation.
The implementation of the method uses the credentials to authenticate with the JCR repository
and returns an AuthenticationInfo object copied from the original object without the password
but containing the JCR Session.</p>

<p>The <tt>SlingMainServlet</tt> gets the <tt>AuthenticationInfo</tt>
object from the request attribute and passes it (as a <tt>Map</tt>) to the <tt>ResourceResolverFactory.getResourceResolver(Map)</tt>
method to get the <tt>ResourceResolver</tt> for the request.</p>

<p>The JCR based <tt>ResourceResolverFactory.getResourceResolver(Map)</tt>
knows about the <tt>CredentialValidator</tt> implementation and can make use of
the <tt>Session</tt> object in the map to reuse the existing session.</p>

<h3><a name="UserAuthentication-CompleteStepsAuthenticatingHTTPRequests"></a>Complete
Steps Authenticating HTTP Requests</h3>

<p>Requests are authenticated as follows:</p>

	<li>Client makes HTTP Request</li>
	<li>OSGi HTTP Service selects Sling to handle request and calls <tt>HttpContext.handleSecurity</tt></li>
	<li>Sling's <tt>handleSecurity</tt> method calls <tt>SlingAuthenticator.handleSecurity</tt></li>
	<li>SlingAuthenticator extractes <tt>AuthenticationInfo</tt> by calling
	<li>SlingAuthenticator passes <tt>AuthenticationInfo</tt> to <tt>CredentialValidator.validate</tt></li>
	<li>(JCR based) CredentialValidator builds JCR Credentials from <tt>AuthenticationInfo</tt>
and calls <tt>Repository.login</tt></li>
	<li>CredentialValidator creates new AuthenticationInfo object copying all properties
from input (except password) and setting the JCR <tt>Session</tt> as another property
and returns</li>
	<li>SlingAuthenticator sets new <tt>AuthenticationInfo</tt> as request
attribute and sets remaining required request attributes and returns</li>
	<li>Sling's <tt>handleSecurity</tt> returns successfully</li>
	<li>OSGi HTTP Service passes control to <tt>SlingMainServlet</tt></li>
	<li>SlingMainServlet extracts <tt>AuthenticationInfo</tt> from request
attribute and calls <tt>ResourceResolverFactory.getResourceResolver</tt> with
this <tt>AuthenticationInfo</tt> (which actually extends <tt>Map</tt>)</li>
	<li>(JCR based) ResourceResolverFactory recognizes the existing JCR Session and creates
and returns a ResourceResolver based on this session</li>
	<li>SlingMainServlet continues request processing</li>
	<li>Finally SlingMainServlet closes the ResourceResolver at the end of request processing</li>

<h2><a name="UserAuthentication-Issues"></a>Issues</h2>

<p>The JCR based <tt>CredentialValidator</tt> implementation creates a session,
which may or may not be used and closed by users of the Sling Commons Auth <tt>AuthenticationSupport</tt>
service. A mechanism must be implemented to ensure Sessions placed into the <tt>AuthenticationInfo</tt>
by <tt>CredentialValidator</tt> implementations are not left open and thus needlessly
consume system resources.</p>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;" class="grey">
                        <a href="">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="">Change
email notification preferences</a>
        <a href="">View
        <a href="">View
        <a href=";showCommentArea=true#addcomment">Add

View raw message