jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Felix Meschberger (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JCR-3222) Allow servlet filters to specify custom session providers
Date Fri, 27 Jan 2012 06:09:41 GMT

    [ https://issues.apache.org/jira/browse/JCR-3222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13194507#comment-13194507
] 

Felix Meschberger commented on JCR-3222:
----------------------------------------

> The Sling authentication code needs to be able to take over the entire processing of
a request instead of just servicing a getSession() call. 

This is wrong.

The DavexServletService is registered as a servlet service and gets processing the request
from the service call. A service in OSGi registered along with an Osgi HttpContext object
which has a handleSecurity method, which handles authentication before the servlet is even
called. By having a contextId service property a whiteboard servlet service can refer to a
whiteboard HttpContext service which implements that method accordingly.

Thus my patch allows to plug a HttpContext service which we in Sling can provide to call the
Sling authentication processing. This then makes the ResourceResolver and hence the Session
available to the servlet.

Inside the servlet, the patch implements the getSessionProvider method to return a proxy SessionProvider
which either provides a registered SessionProvider service or returns the default from the
parent class. Sling will den provide a SessionProvider service which knows about the Sling
authentication and can extract the session from the ResourceResolver.

Existing uses of the JcrRemotingServlet need not be changed as does the JcrRemotingServlet.
Everything is done in the DavexServletService with proper OSGi oriented actions -- except
for the ResourceResolver defined as a request attribute, which we already have.
                
> Allow servlet filters to specify custom session providers
> ---------------------------------------------------------
>
>                 Key: JCR-3222
>                 URL: https://issues.apache.org/jira/browse/JCR-3222
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-jcr-server
>            Reporter: Jukka Zitting
>            Priority: Minor
>         Attachments: JCR-3222-fmeschbe.patch, jackrabbit-jcr-server-2.6-SNAPSHOT.jar
>
>
> In order to integrate the Jackrabbit davex server functionality with their custom authentication
logic, the Sling project currently needs to embed and subclass the davex servlet classes.
It would be cleaner if such tight coupling wasn't needed.
> One way to achieve something like that would be to allow external components to provide
a custom SessionProvider instance as an extra request attribute. This way for example a servlet
filter that implements such custom authentication logic could easily make its functionality
available to the standard davex servlet in Jackrabbit.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message