sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vidar Ramdal <>
Subject Re: Sling Authentication
Date Fri, 10 Jun 2011 11:35:34 GMT
2011/6/10 David G. <>:
> Vidar,
> Hrm - i think i misspoke.
> I am trying to figure out the mechanics of
> Authentication/De-Authentication (Sign-In/Sign-Out) for web apps using
> Sling.
> Essentially I want to create two entry points, one that Authenticates
> the user to my web app (sign-in) and one that de-authenticates the
> user (sign-out).
> For sign-in i am using a custom Authentication Handler, which through
> the extractCredentials method, creates/retrieves a JCR user and
> creates an AuthenticationInfo object for said user - and returns it.
> I was under the impression this was enough to "authenticate" the user
> and allow a session cookie to be created, etc. (basically treat the
> user as logged in).
> For some reason, even when I pass back a "valid" AutheticationInfo
> object (and by valid, i mean it represents the user) from the
> AuthenticationHandler's extractcredentials my user is not recognized
> as being "signed in" by Sling (ProfileUtil.isAnonymous(slingReqest) ==
> true).
> Im trying to figure out what the mechanics are for having Sling/JCR
> persist recognition of my user as signed in accross the life of their
> visit to the web site.
> Also, I am tyring to undetstand how to create a logout mechanism that
> operates in a similar fashion.

OK, I haven't worked with the latest versions of the Auth stuff, but
I'm pretty sure you must set and parse the cookie yourself (in your
authentication handler). By default, Sling does not use sessions, so
you must pass the credentials on every request.
One way of doing it could be:
1. The user logs in through a specially designated servlet (see
o.a.s.auth.core.impl.LoginServlet for an example). The servlet sets a
cookie containing the user's credentials (or a session ID, if you want
to implement that)
2. On succeeding requests, your AuthenticationHandler looks for the
cookie, parses it and returns the AuthenticationInfo object
3. On logout, another servlet is used, which deletes the cookie

Again, I'm not totally familiar with the current state of Sling
authentication, so anybody please correct and fill in the missing

Vidar S. Ramdal <>
Webstep AS -
Bes√łksadresse: Lilleakerveien 8, 0283 Oslo
Postadresse: Postboks 66, 1324 Lysaker

View raw message