Remove JCR Session as request attribte
--------------------------------------
Key: SLING-1654
URL: https://issues.apache.org/jira/browse/SLING-1654
Project: Sling
Issue Type: Task
Components: Commons
Reporter: Felix Meschberger
Assignee: Felix Meschberger
Fix For: Commons Auth 1.0.0
Currently the SlingAuthenticator sets the following three request attributes in
the Authenticator.handleSecurity method besides the attributes required by the
OSGi Http Service spec:
javax.jcr.Session -- the primary session underlying the resource resolver
$$org.apache.sling.commons.auth.impl.SlingAuthenticatorResourceResolver$$ --
internal wrapper to help logout the resource resolver
org.apache.sling.commons.auth.ResourceResolver -- the request's resource
resolver
The Session is here for backwards compatibility for a looooong time now. The
official way to get at a session in requests has long been to adapt the
request's resource resolver to a Session. Keeping the Session as a request
attribute just makes cleaning up at the end more complicated.
The $$org.apache.sling.commons.auth.impl.SlingAuthenticatorResourceResolver$$
request attribute has been introduce with the commons auth module but before
the ResourceResolver.close() method to cleanup the resource resolver and
session after request processing. This request attribute is not needed any
longer thanks to the ResourceResolver.close() method which allows for propery
cleanup.
This the
$$org.apache.sling.commons.auth.impl.SlingAuthenticatorResourceResolver$$ and
javax.jcr.Session request attributes should not be set any longer.
As kind of a replacement, JavaDoc of the Authenticator interface and
particularly the Authenticator.handleSecurity method should be enhanced to list
the request attributes be set and to request from the caller to call the
close() method on the resource resovler at then end of request processing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
