Framework
The core piece of functionality with respect to authentication in Sling is contained in the Sling Commons Auth bundle. This bundle provides the API for Sling and Sling applications to make use of authentication.
This support encompasses three parts:
- The AuthenticationSupport service provided by the SlingAuthenticator class. This service can be used by implementations of the OSGi HttpContext interface to delegate authentication.
- The Authenticator service also provided by the SlingAuthenticator class. This service may be used by Sling Applications to help clients login and logout.
- The AuthenticationHandler service interface. These services may be implemented by extensions to support various ways for transporting credentials from clients to the Sling server.
This page describes how the SlingAuthenticator class provides the AuthenticationSupport and Authenticator services. For a description of the AuthenticationHandler service interface and the interaction between the SlingAuthenticator and the AuthenticationHandler services refer to the AuthenticationHandler page.
The SlingAuthenticator class is an internal class of the org.apache.sling.commons.auth bundle and implements the Authenticator and AuthenticationSupport services.
AuthenticationSupport
The AuthenticationSupport service interface defines a single method: handleSecurity. This method is intended to be called by the handleSecurity method of any HttpContext implementation wishing to make use of the Sling Authentication Framework.
The Sling Authenticator implementation selects an AuthenticationHandler service appropriate for the request and calls the AuthenticationHandler.extractCredentials method to extract the credentials from the request. If no credentials could be extracted, the Sling Authenticator either admits the request as an anonymous request or requests authentication from the client by calling its own login method.
The implementation follows this algorithm:
- Select one or more AuthenticationHandler for the request according to the request URL's scheme and authorization part.
- Call the extractCredentials method of each authentication handler, where the order of handler call is defined by the length of the registered path: handlers registered with longer paths are called before handlers with shorter paths. The goal is to call the handlers in order from longest request path match to shortest match. Handlers not matching the request path at all are not called.
- The first handler returning a non-null AuthenticationInfo result "wins" and the result is used for authentication.
- If any AuthenticationInfoPostProcessor services are registered, the AuthenticationInfo object is passed to their postProcess() method.
- If no handler returns a non-null result, the request may be handled anonymously. In these cases, an empty AuthenticationInfo object is passed to any AuthenticationInfoPostProcessor services.
- (Try to) log into the repository either with the provided credentials or anonymously.
- Set request attributes listed below.
Extracting the credentials and trying to login to the repository may yield the following results:
| Credentials |
Login |
Consequence |
| present |
successfull |
Continue with an authenticated request |
| present |
failed |
Select AuthenticationHandler and call requestCredentials method |
| missing |
anonymous allowed |
Continue with a non authenticated request using anonymous access to the repository |
| missing |
anonymous forbidden |
Select AuthenticationHandler and call requestCredentials method |
![]() | Only one AuthenticationHandler is able to provide credentials for a given request. If the credentials provided by the handler cannot be used to login to the repository, authentication fails and no further AuthenticationHandler is consulted. |
Request Attributes on Successful Login
The handleSecurity method gets credentials from the AuthenticationHandler and logs into the JCR repository using those credentials. If the login is successful, the SlingAuthenticator sets the following request attributes:
| Attribute |
Description |
| org.osgi.service.http.authentication.remote.user |
The user ID of the JCR Session. This attribute is used by the HTTP Service implementation to implement the HttpServletRequest.getRemoteUser method. |
| org.osgi.service.http.authentication.type |
The authentication type defined by the AuthenticationHandler. This attribute is used by the HTTP Service implementation to implement the HttpServletRequest.getAuthType method. |
| org.apache.sling.commons.auth.ResourceResolver |
The ResourceResolver created from the credentials and the logged in JCR Session. This attribute may be used by servlets to access the repository. Namely the SlingMainServlet uses this request attribute to provide the ResourceResolver to handle the request. |
| javax.jcr.Session |
The JCR Session. This attribute is for backwards compatibility only. Its use is deprecated and the attribute will be removed in future versions. |
| org.apache.sling.commons.auth.spi.AuthenticationInfo |
The AuthenticationInfo object produced from the AuthenticationHandler. |
NOTE: Do NOT use the javax.jcr.Session request attribute in your Sling applications. This attribute must be considered implementation specific to convey the JCR Session to the SlingMainServlet. In future versions of the Sling Commons Auth bundle, this request attribute will not be present anymore. To get the JCR Session for the current request adapt the request's resource resolver to a JCR Session:
Session session = request.getResourceResolver().adaptTo(Session.class);
Anonymous Login
The SlingAuthenticator provides high level of control with respect to allowing anonymous requests or requiring authentication up front:
- Global setting of whether anonymous requests are allowed or not. This is the value of the Allow Anonymous Access (auth.annonymous) property of the SlingAuthenticator configuration. This property is supported for backwards compatibility and defaults to true (allowing anonymous access).
- Specific configuration per URL. The Authentication Requirements (sling.auth.requirements) property of the SlingAuthenticator configuration may provide a list of URLs for which authentication may be required or not: Any entry prefixed with a dash - defines a subtree for which authentication is not required. Any entry not prefixed with a dash or prefixed with a plus + defines a subtree for which authentication is required up front and thus anonymous access is not allowed. This list is empty by default.
- Any OSGi service may provide a sling.auth.requirements registration property which is used to dynamically extend the authentication requirements from the Authentication Requirements configuration. This may for example be set by AuthenticationHandler implementations providing a login form to ensure access to the login form does not require authentication. The value of this property is a single string, an array of strings or a Collection of strings and is formatted in the same way as the Authentication Requirements configuration property.
The URLs set on the Authentication Requirements configuration property or the sling.auth.requirements service registration property can be absolute paths or URLs like the path service registration property of AuthenticationHandler services. This allows the limitation of this setup to certain requests by scheme and/or virtual host address.
Examples
- The LoginServlet contained in the Commons Auth bundle registers itself with the service registration property sling.auth.requirements = "-/system/sling/login" to ensure the servlet can be accessed without requiring authentication.
- An authentication handler may register itself with the service registration property sling.auth.requirements = "-/apps/sample/loginform" to ensure the login form can be rendered without requiring authentication.
Authenticator implementation
The implementation of the Authenticator interface is similar for both methods:
login
- Select one or more AuthenticationHandler for the request according to the request URL's scheme and authorization part.
- Call the requestCredentials method of each authentication handler, where the order of handler call is defined by the length of the registered path: handlers registered with longer paths are called before handlers with shorter paths. The goal is to call the handlers in order from longest request path match to shortest match. Handlers not matching the request path at all are not called.
- As soon as the first handlers returns true, the process ends and it is assumed credentials have been requested from the client.
The login method has three possible exit states:
| Exit State |
Description |
| Normal |
An AuthenticationHandler could be selected to which the login request could be forwarded. |
| NoAuthenticationHandlerException |
No AuthenticationHandler could be selected to forward the login request to. In this case, the caller can proceed as appropriate. For example a servlet, which should just login a user may send back a 403/FORBIDDEN status because login is not possible. Or a 404/NOT FOUND handler, which tried to login as a fallback, may continue and send back the regular 404/NOT FOUND response. |
| IllegalStateException |
The response has already been committed and the login request cannot be processed. Normally to request login, the current response must be reset and a new response has to be prepared. This is only possible if the request has not yet been committed. |
logout
- Select one or more AuthenticationHandler for the request according to the request URL's scheme and authorization part.
- Call the dropCredentials method of each authentication handler, where the order of handler call is defined by the length of the registered path: handlers registered with longer paths are called before handlers with shorter paths. The goal is to call the handlers in order from longest request path match to shortest match. Handlers not matching the request path at all are not called.
Unlike for the login method in the logout method case all AuthenticationHandler services selected in the first step are called. If none can be selected or none can actually handle the dropCredentials request, the logout silently returns.
