[CONF] Apache Sling Website > Authentication - AuthenticationHandler

[confluence]

Authentication - AuthenticationHandler Page added by Felix Meschberger AuthenticationHandler The AuthenticationHandler interface defines the service API which may be implemented by authentication handlers registered as OSGi services. The AuthenticationHandler services have a single required service registration property which is used to identify requests to which the AuthenticationHandler service is applicable: path One or more (array or vector) string values indicating the request URLs to which the AuthenticationHandler is applicable. Each path may be an absolute URL, an URL with just the host/port and path or just a plain absolute path: URL part Scheme Host/Port Path Absolute URL must match must match request URL path is prefixed with the path Host/Port with Path ignored must match request URL path is prefixed with the path Path ignored ignored request URL path is prefixed with the path When looking for an AuthenticationHandler the authentication handler is selected whose path is the longest match on the request URL. If the service is registered with Scheme and Host/Port, these must exactly match for the service to be eligible. The value of path service registration property value triggering the call to any of the AuthenticationHandler methods is available as the path request attribute (for the time of the method call only). If the service is registered with multiple path values, the value of the path request attribute may be used to implement specific handling. Sample implementations HTTP Basic Authentication Handler extractCredentials – Get user name and password from the Authorization HTTP header requestCredentials – Send a 401/UNAUTHORIZED status with WWW-Authenticate response header setting the Realm dropCredentials – Send a 401/UNAUTHORIZED status with WWW-Authenticate response header setting the Realm Interestingly the dropCredentials method is implemented in the same way as the requestCredentials method. The reason for this is, that HTTP Basic authentication does not have a notion of login and logout. Rather the request is accompanied with an Authorization header or not. The contents of this header is usually cached by the client browser. So logout is actually simulated by sending a 401/UNAUTHORIZED status thus causing the client browser to clear the cache and ask for user name and password. H4. Form Based Authentication Handler extractCredentials – Get user name and password with the help of a special cookie (note, that of course the cookie should not contain this data, but refer to it in an internal store of the authentication handler). If the cookie is not set, check for specific login parameters to setup the cookie. requestCredentials – Send the login form for the user to provide the login parameters. dropCredentials – Clear the authentication cookie and internal store. Change Notification Preferences View Online | Add Comment