jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Felix Meschberger (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JCR-3222) Allow servlet filters to specify custom session providers
Date Fri, 27 Jan 2012 13:26:40 GMT

    [ https://issues.apache.org/jira/browse/JCR-3222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13194699#comment-13194699

Felix Meschberger commented on JCR-3222:

> That's what the HttpContext.handleSecurity() method does, right? It's needs to be able
to take over the entire processing of a request. 

No, this is called by the Http Service before calling the servlet. The handleSecurity method
either returns true in which case the servlet is called or false in which case the request
is terminated and the servlet is not called.

The handleSecurity method must set up to three request attributes which are used to implement
HttpServletRequest methods (getRemoteUser, getAuthType, getUserPrincipal). In addition the
Sling implementation could provide the ResourceResolver (what we do in the Sling DavEx bundle.

The handleSecurity method could of course set the SessionProvider, too. But I don't like this
-- special case handling affecting all but used by one only.

In addtion: unless you will be implementing a special proxy SessionProvider looking for the
actual provider on each request, the getSessionProvider() method is AFAICT only called once
no matter how many different SessionProviders are found in the request attributes... The SessionProvider
is not something request specific but something setup specific. Hence a service and not request
> Allow servlet filters to specify custom session providers
> ---------------------------------------------------------
>                 Key: JCR-3222
>                 URL: https://issues.apache.org/jira/browse/JCR-3222
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-jcr-server
>            Reporter: Jukka Zitting
>            Priority: Minor
>         Attachments: JCR-3222-fmeschbe.patch, jackrabbit-jcr-server-2.6-SNAPSHOT.jar
> In order to integrate the Jackrabbit davex server functionality with their custom authentication
logic, the Sling project currently needs to embed and subclass the davex servlet classes.
It would be cleaner if such tight coupling wasn't needed.
> One way to achieve something like that would be to allow external components to provide
a custom SessionProvider instance as an extra request attribute. This way for example a servlet
filter that implements such custom authentication logic could easily make its functionality
available to the standard davex servlet in Jackrabbit.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message