sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David G." <>
Subject Re: Sling Authentication
Date Thu, 09 Jun 2011 23:26:21 GMT

Hrm - i think i misspoke.

I am trying to figure out the mechanics of
Authentication/De-Authentication (Sign-In/Sign-Out) for web apps using

Essentially I want to create two entry points, one that Authenticates
the user to my web app (sign-in) and one that de-authenticates the
user (sign-out).

For sign-in i am using a custom Authentication Handler, which through
the extractCredentials method, creates/retrieves a JCR user and
creates an AuthenticationInfo object for said user - and returns it.

I was under the impression this was enough to "authenticate" the user
and allow a session cookie to be created, etc. (basically treat the
user as logged in).

For some reason, even when I pass back a "valid" AutheticationInfo
object (and by valid, i mean it represents the user) from the
AuthenticationHandler's extractcredentials my user is not recognized
as being "signed in" by Sling (ProfileUtil.isAnonymous(slingReqest) ==

Im trying to figure out what the mechanics are for having Sling/JCR
persist recognition of my user as signed in accross the life of their
visit to the web site.

Also, I am tyring to undetstand how to create a logout mechanism that
operates in a similar fashion.


On Thu, Jun 9, 2011 at 2:45 AM, Vidar Ramdal <> wrote:
> 2011/6/9 David G. <>:
>> I am writing a custom Sling Authentication Handler and am having
>> trouble understanding where the actual "authentication" to sling takes
>> place.
>> Currently my Authentication Handler validates credentials against a
>> third party system, creates a user in JCR as necessary, gets an
>> AuthenticationInfo object based on that user ,and returns that
>> AuthenticationInfo object.
>> I was under the impression that returning  a non-null
>> AuthenticationInfo object was enough for sling to authenticate the
>> user, however this does not appear to be the case (unless I my
>> Authentication Info obj isnt properly formed i suppose).
>> Should all I have to do is return an AuthenticationInfo obj from
>> extractCredentials in my Custom Authenication Handler to authenticate
>> the user to Sling? Or is there something else I have to do?
>> If not, is there anything special in how the AuthenticationInfo is created?
> There is basically no such thing as "authentication to Sling" - the
> authentication is done to the underlying JCR. I'm not sure what you
> mean with "actual authentication", but in JCR terms it is the
> LoginModule who do that work.
> Also, make sure your AuthenticationHandler is actually called.
> --
> Vidar S. Ramdal <>
> Webstep AS -
> Bes√łksadresse: Lilleakerveien 8, 0283 Oslo
> Postadresse: Postboks 66, 1324 Lysaker

View raw message