sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject svn commit: r1477098 - in /sling/site/trunk/content: documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.mdtext site/.htaccess
Date Mon, 29 Apr 2013 14:22:35 GMT
Author: dklco
Date: Mon Apr 29 14:22:34 2013
New Revision: 1477098

URL: http://svn.apache.org/r1477098
Log:
Migrated /site/openid-authenticationhandler.html

Modified:
    sling/site/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.mdtext
    sling/site/trunk/content/site/.htaccess

Modified: sling/site/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.mdtext
URL: http://svn.apache.org/viewvc/sling/site/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.mdtext?rev=1477098&r1=1477097&r2=1477098&view=diff
==============================================================================
--- sling/site/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.mdtext
(original)
+++ sling/site/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.mdtext
Mon Apr 29 14:22:34 2013
@@ -28,7 +28,7 @@ In this case the OpenID authenticator ca
 |--|--|
 | `resource` | The location to which the user initially requested access and that caused
the `requestCredentials` method to be called. This may not be set (or be set to an empty string).
|
 | `j_reason` | The reason why an earlier attempt at authentication with the OpenID authentication
handler failed. This request parameter is only set if the same named request attribute has
been set by the `extractCredentials` or the `authenticationFailed` method. The value of the
parameter is the name of one of the `OpenIDFailure` constants. |
-| `j*openid*identity` | The OpenID identity which could not successfully be associated with
an existing JCR user. This request parameter is only set if the `authenticationFailed` method
has been called due to inability to associate an existing and validated OpenID identity with
an existing JCR user. |
+| `j_openid_identity` | The OpenID identity which could not successfully be associated with
an existing JCR user. This request parameter is only set if the `authenticationFailed` method
has been called due to inability to associate an existing and validated OpenID identity with
an existing JCR user. |
 
 The OpenID Authentication handlers supports the following request parameters submitted by
the HTML form:
 
@@ -47,7 +47,7 @@ The OpenID AuthenticationHandler is conf
 |--|--|--|
 | `path` | -- | Repository path for which this authentication handler should be used by Sling.
If this is empty, the authentication handler will be disabled. |
 | `openid.login.form` | `/system/sling/openid/login` | This should provide a way to capture
the user's OpenID identifier.  This is not the OpenID Provider's login page, however, it does
not have to be a local URL. If it is a local Sling URL, it must be accessible by the anonymous
user. The user is HTTP Redirect'ed to this URL.  This page should POST back the user's OpenID
identifier (as named by the "OpenID identifier form field" property) to the originally requested
URL set in the "resource" request parameter. |
-| `openid.login.identifier` | `openid*identifier` | The name of the form parameter that provides
the user's OpenID identifier. By convention this is `openid*identifier`. Only change this
if you have a very good reason to do so. |
+| `openid.login.identifier` | `openid_identifier` | The name of the form parameter that provides
the user's OpenID identifier. By convention this is `openid_identifier`. Only change this
if you have a very good reason to do so. |
 | `openid.external.url.prefix` | -- | The prefix of URLs generated for the `ReturnTo` and
`TrustRoot` properties of the OpenID request to the OpenID provider. Thus this URL prefix
should bring back the authenticated user to this Sling instance. Configuring this property
is usually necessary when running Sling behind a proxy (like Apache) since proxy mapping is
not performed on the OpenID ReturnTo and TrustRoot URLs as they are sent to the OpenID Provider
as form parameters.  If this property is empty, the URLs are generated using the hostname
found in the original request.|
 | `openid.use.cookie` | `true` |  Whether to use a regular Cookie or an HTTP Session to cache
the OpenID authentication details. By default a regular cookie is used to prevent use of HTTP
Sessions. |
 | `openid.cookie.domain` | -- | Domain of cookie used to persist authentication. This defaults
to the host name of the Sling server but may be set to a different value to share the cookie
amongst a server farm or if the server is running behind a proxy. Only used if 'Use Cookie'
is checked. |
@@ -87,7 +87,7 @@ If the parameter is not set or is set to
 |--|--|
 | `resource` | The location to which the user initially requested access and that caused
the `requestCredentials` method to be called. |
 | `j_reason` | The reason why an earlier attempt at authentication with the OpenID authentication
handler failed. This request parameter is only set if the same named request attribute has
been set by the `extractCredentials` or the `authenticationFailed` method. The value of the
parameter is the name of one of the `OpenIDFailure` constants. |
-| `j*openid*identity` | The OpenID identity which could not successfully be associated with
an existing JCR user. This request parameter is only set if the `authenticationFailed` method
has been called due to inability to associate an existing and validated OpenID identity with
an existing JCR user. |
+| `j_openid_identity` | The OpenID identity which could not successfully be associated with
an existing JCR user. This request parameter is only set if the `authenticationFailed` method
has been called due to inability to associate an existing and validated OpenID identity with
an existing JCR user. |
 
 
 
@@ -102,7 +102,7 @@ Invalidates the OpenID identity currentl
 
 This method is called, if the Credentials provided by the Authentication Handler could not
be validated by the Jackrabbit authentication infrastructure. One cause may be that the integration
with Jackrabbit has not been completed (see *Integration with Jackrabbit* below). Another,
more probably cause, is that the validated OpenID identifier cannot be associated with an
existing JCR user.
 
-The OpenID Authentication Handler implementation of the `authenticationFailed` method sets
the `j*reason` request attribute to `OpenIDFailure.REPOSITORY` and sets the `j*openid_identity`
request attribute to the OpenID identity of the authenticated user.
+The OpenID Authentication Handler implementation of the `authenticationFailed` method sets
the `j_reason` request attribute to `OpenIDFailure.REPOSITORY` and sets the `j_openid_identity`
request attribute to the OpenID identity of the authenticated user.
 
 A login form provider may wish to act upon this situation and provide a login form to the
user to allow to his OpenID identity with an existing JCR user.
 
@@ -117,7 +117,7 @@ The OpenID Authentication Handler implem
 
 The OpenID authentication handler can be integrated in two ways into the Jackrabbit authentication
mechanism which is based on JAAS `LoginModule`. One integration is by means of a `LoginModulePlugin`
which plugs into the extensible `LoginModule` architecture supported by the Sling Jackrabbit
Embedded Repository bundle.
 
-The other integration option is the `trusted*credentials*attribute` mechanism supported by
the Jackrabbit `DefaultLoginModule`. By setting the `trusted*credentials*attribute` parameter
of the Jackrabbit `DefaultLoginModule` and the `openid.user.attr` configuration property of
the OpenID Authentication Handler to the same value, the existence of an attribute of that
name in the `SimpleCredentials` instance provided to the `Repository.login` method signals
pre-authenticated credentials, which need not be further checked by the `DefaultLoginModule`.
+The other integration option is the `trusted_credentials_attribute` mechanism supported by
the Jackrabbit `DefaultLoginModule`. By setting the `trusted_credentials_attribute` parameter
of the Jackrabbit `DefaultLoginModule` and the `openid.user.attr` configuration property of
the OpenID Authentication Handler to the same value, the existence of an attribute of that
name in the `SimpleCredentials` instance provided to the `Repository.login` method signals
pre-authenticated credentials, which need not be further checked by the `DefaultLoginModule`.
 
 
 ### Security Considerations
@@ -126,6 +126,6 @@ OpenIDAuthentication has some limitation
 
 1. User name and password are transmitted in plain text in the initial form submission.
 1. The Cookie used to provide the authentication state or the HTTP Session ID may be stolen.
-1. When using the `trusted*credentials*attribute` mechanism, any intruder knowing the attribute
name may log into the repository as any existing JCR user. The better option is to be based
on the `LoginModulePlugin` mechanism.
+1. When using the `trusted_credentials_attribute` mechanism, any intruder knowing the attribute
name may log into the repository as any existing JCR user. The better option is to be based
on the `LoginModulePlugin` mechanism.
 
 To prevent eavesdroppers from sniffing the credentials or stealing the Cookie a secure transport
layer should be used such as TLS/SSL, VPN or IPSec.

Modified: sling/site/trunk/content/site/.htaccess
URL: http://svn.apache.org/viewvc/sling/site/trunk/content/site/.htaccess?rev=1477098&r1=1477097&r2=1477098&view=diff
==============================================================================
--- sling/site/trunk/content/site/.htaccess (original)
+++ sling/site/trunk/content/site/.htaccess Mon Apr 29 14:22:34 2013
@@ -21,4 +21,5 @@ Redirect Permanent /site/adapters.html /
 Redirect Permanent /site/apache-sling-commons-thread-pool.html /documentation/bundles/apache-sling-commons-thread-pool.html
 Redirect Permanent /site/apache-sling-community-roles-and-processes.html /project-information/apache-sling-community-roles-and-processes.html
 Redirect Permanent /site/authentication-actors.html /documentation/the-sling-engine/authentication/authentication-actors.html
-Redirect Permanent /site/form-based-authenticationhandler.html /documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
\ No newline at end of file
+Redirect Permanent /site/form-based-authenticationhandler.html /documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
+Redirect Permanent /site/openid-authenticationhandler.html /documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
\ No newline at end of file



Mime
View raw message