sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Gonzalez <davidjgonza...@gmail.com>
Subject Re: Sling Authentication
Date Fri, 10 Jun 2011 13:31:05 GMT
Vidar,

Thanks for the update. I think you may be thinking of an earlier implementation of Sling though?

1) In the Sling Docs, it appears authentication state is stored in a cookie or HTTP Session.


" After the successful authentication of the user in phase 1, the authentication state is
stored in a Cookie or an HTTP Session. The stored value is a security token with the following
contents:"
HmacSHA1(securetoken, <securetokennumber><expirytime>@<userID>)@<securetokennumber><expirytime>@<userID>




http://sling.apache.org/site/form-based-authenticationhandler.html

This is very strange to me, since Sling is supposed to be stateless, and this seems rather
state-ful.


2) At the bottom of the wiki under "Complete Steps for Authenticating HTTP Requests" it makes
it seem like the only thing you need to do auth a user and maintain authentication status
is return a valid AuthenticationInfo object.

https://cwiki.apache.org/confluence/display/SLING/User+Authentication



-- 
David Gonzalez
Sent with Sparrow (http://www.sparrowmailapp.com)

On Friday, June 10, 2011 at 7:35 AM, Vidar Ramdal wrote:

> 2011/6/10 David G. <davidjgonzalez@gmail.com (mailto:davidjgonzalez@gmail.com)>:
> > Vidar,
> > 
> > Hrm - i think i misspoke.
> > 
> > I am trying to figure out the mechanics of
> > Authentication/De-Authentication (Sign-In/Sign-Out) for web apps using
> > Sling.
> > 
> > Essentially I want to create two entry points, one that Authenticates
> > the user to my web app (sign-in) and one that de-authenticates the
> > user (sign-out).
> > 
> > For sign-in i am using a custom Authentication Handler, which through
> > the extractCredentials method, creates/retrieves a JCR user and
> > creates an AuthenticationInfo object for said user - and returns it.
> > 
> > I was under the impression this was enough to "authenticate" the user
> > and allow a session cookie to be created, etc. (basically treat the
> > user as logged in).
> > 
> > For some reason, even when I pass back a "valid" AutheticationInfo
> > object (and by valid, i mean it represents the user) from the
> > AuthenticationHandler's extractcredentials my user is not recognized
> > as being "signed in" by Sling (ProfileUtil.isAnonymous(slingReqest) ==
> > true).
> > 
> > Im trying to figure out what the mechanics are for having Sling/JCR
> > persist recognition of my user as signed in accross the life of their
> > visit to the web site.
> > 
> > Also, I am tyring to undetstand how to create a logout mechanism that
> > operates in a similar fashion.
> 
> OK, I haven't worked with the latest versions of the Auth stuff, but
> I'm pretty sure you must set and parse the cookie yourself (in your
> authentication handler). By default, Sling does not use sessions, so
> you must pass the credentials on every request.
> One way of doing it could be:
> 1. The user logs in through a specially designated servlet (see
> o.a.s.auth.core.impl.LoginServlet for an example). The servlet sets a
> cookie containing the user's credentials (or a session ID, if you want
> to implement that)
> 2. On succeeding requests, your AuthenticationHandler looks for the
> cookie, parses it and returns the AuthenticationInfo object
> 3. On logout, another servlet is used, which deletes the cookie
> 
> Again, I'm not totally familiar with the current state of Sling
> authentication, so anybody please correct and fill in the missing
> stuff.
> 
> 
> -- 
> Vidar S. Ramdal <vidar.ramdal@webstep.no (mailto:vidar.ramdal@webstep.no)>
> Webstep AS - http://www.webstep.no
> Bes√łksadresse: Lilleakerveien 8, 0283 Oslo
> Postadresse: Postboks 66, 1324 Lysaker


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message