Author: buildbot
Date: Mon Apr 29 14:22:42 2013
New Revision: 860301
Log:
Staging update by buildbot for sling
Modified:
websites/staging/sling/trunk/content/ (props changed)
websites/staging/sling/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
websites/staging/sling/trunk/content/site/.htaccess
Propchange: websites/staging/sling/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Apr 29 14:22:42 2013
@@ -1 +1 @@
-1476906
+1477098
Modified:
websites/staging/sling/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
==============================================================================
---
websites/staging/sling/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
(original)
+++
websites/staging/sling/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
Mon Apr 29 14:22:42 2013
@@ -133,7 +133,7 @@
<td>The reason why an earlier attempt at authentication with the OpenID
authentication handler failed. This request parameter is only set if the same
named request attribute has been set by the <code>extractCredentials</code> or
the <code>authenticationFailed</code> method. The value of the parameter is the
name of one of the <code>OpenIDFailure</code> constants.</td>
</tr>
<tr>
-<td><code>j*openid*identity</code></td>
+<td><code>j_openid_identity</code></td>
<td>The OpenID identity which could not successfully be associated with an
existing JCR user. This request parameter is only set if the
<code>authenticationFailed</code> method has been called due to inability to
associate an existing and validated OpenID identity with an existing JCR
user.</td>
</tr>
</tbody>
@@ -168,8 +168,8 @@
</tr>
<tr>
<td><code>openid.login.identifier</code></td>
-<td><code>openid*identifier</code></td>
-<td>The name of the form parameter that provides the user's OpenID identifier.
By convention this is <code>openid*identifier</code>. Only change this if you
have a very good reason to do so.</td>
+<td><code>openid_identifier</code></td>
+<td>The name of the form parameter that provides the user's OpenID identifier.
By convention this is <code>openid_identifier</code>. Only change this if you
have a very good reason to do so.</td>
</tr>
<tr>
<td><code>openid.external.url.prefix</code></td>
@@ -239,7 +239,7 @@
<td>The reason why an earlier attempt at authentication with the OpenID
authentication handler failed. This request parameter is only set if the same
named request attribute has been set by the <code>extractCredentials</code> or
the <code>authenticationFailed</code> method. The value of the parameter is the
name of one of the <code>OpenIDFailure</code> constants.</td>
</tr>
<tr>
-<td><code>j*openid*identity</code></td>
+<td><code>j_openid_identity</code></td>
<td>The OpenID identity which could not successfully be associated with an
existing JCR user. This request parameter is only set if the
<code>authenticationFailed</code> method has been called due to inability to
associate an existing and validated OpenID identity with an existing JCR
user.</td>
</tr>
</tbody>
@@ -249,24 +249,24 @@
<h3
id="authenticationfeedbackhandler-implementation">AuthenticationFeedbackHandler
implementation</h3>
<h4 id="authenticationfailed">authenticationFailed</h4>
<p>This method is called, if the Credentials provided by the Authentication
Handler could not be validated by the Jackrabbit authentication infrastructure.
One cause may be that the integration with Jackrabbit has not been completed
(see <em>Integration with Jackrabbit</em> below). Another, more probably cause,
is that the validated OpenID identifier cannot be associated with an existing
JCR user.</p>
-<p>The OpenID Authentication Handler implementation of the
<code>authenticationFailed</code> method sets the <code>j*reason</code> request
attribute to <code>OpenIDFailure.REPOSITORY</code> and sets the
<code>j*openid_identity</code> request attribute to the OpenID identity of the
authenticated user.</p>
+<p>The OpenID Authentication Handler implementation of the
<code>authenticationFailed</code> method sets the <code>j_reason</code> request
attribute to <code>OpenIDFailure.REPOSITORY</code> and sets the
<code>j_openid_identity</code> request attribute to the OpenID identity of the
authenticated user.</p>
<p>A login form provider may wish to act upon this situation and provide a
login form to the user to allow to his OpenID identity with an existing JCR
user.</p>
<p>In addition, the current OpenID identity is invalidated thus the cached
OpenID information is removed from the HTTP Session or the OpenID cookie is
cleaned. This will allow the user to present a different OpenID identifier to
retry or it will require the OpenID identity to be revalidated with the OpenID
provider if the identity is associated with a JCR user.</p>
<h4 id="authenticationsucceeded">authenticationSucceeded</h4>
<p>The OpenID Authentication Handler implementation of the
<code>authenticationSucceeded</code> method just calls the
<code>DefaultAuthenticationFeedbackHandler.handleRedirect</code> method to
redirect the user to the initially requested location.</p>
<h3 id="integration-with-jackrabbit">Integration with Jackrabbit</h3>
<p>The OpenID authentication handler can be integrated in two ways into the
Jackrabbit authentication mechanism which is based on JAAS
<code>LoginModule</code>. One integration is by means of a
<code>LoginModulePlugin</code> which plugs into the extensible
<code>LoginModule</code> architecture supported by the Sling Jackrabbit
Embedded Repository bundle.</p>
-<p>The other integration option is the
<code>trusted*credentials*attribute</code> mechanism supported by the
Jackrabbit <code>DefaultLoginModule</code>. By setting the
<code>trusted*credentials*attribute</code> parameter of the Jackrabbit
<code>DefaultLoginModule</code> and the <code>openid.user.attr</code>
configuration property of the OpenID Authentication Handler to the same value,
the existence of an attribute of that name in the
<code>SimpleCredentials</code> instance provided to the
<code>Repository.login</code> method signals pre-authenticated credentials,
which need not be further checked by the <code>DefaultLoginModule</code>.</p>
+<p>The other integration option is the
<code>trusted_credentials_attribute</code> mechanism supported by the
Jackrabbit <code>DefaultLoginModule</code>. By setting the
<code>trusted_credentials_attribute</code> parameter of the Jackrabbit
<code>DefaultLoginModule</code> and the <code>openid.user.attr</code>
configuration property of the OpenID Authentication Handler to the same value,
the existence of an attribute of that name in the
<code>SimpleCredentials</code> instance provided to the
<code>Repository.login</code> method signals pre-authenticated credentials,
which need not be further checked by the <code>DefaultLoginModule</code>.</p>
<h3 id="security-considerations">Security Considerations</h3>
<p>OpenIDAuthentication has some limitations in terms of security:</p>
<ol>
<li>User name and password are transmitted in plain text in the initial form
submission.</li>
<li>The Cookie used to provide the authentication state or the HTTP Session ID
may be stolen.</li>
-<li>When using the <code>trusted*credentials*attribute</code> mechanism, any
intruder knowing the attribute name may log into the repository as any existing
JCR user. The better option is to be based on the
<code>LoginModulePlugin</code> mechanism.</li>
+<li>When using the <code>trusted_credentials_attribute</code> mechanism, any
intruder knowing the attribute name may log into the repository as any existing
JCR user. The better option is to be based on the
<code>LoginModulePlugin</code> mechanism.</li>
</ol>
<p>To prevent eavesdroppers from sniffing the credentials or stealing the
Cookie a secure transport layer should be used such as TLS/SSL, VPN or
IPSec.</p>
<div class="timestamp" style="margin-top: 30px; font-size: 80%;
text-align: right;">
- Rev. 1475804 by dklco on Thu, 25 Apr 2013 14:45:50 +0000
+ Rev. 1477098 by dklco on Mon, 29 Apr 2013 14:22:34 +0000
</div>
<div class="trademarkFooter">
Apache Sling, Sling, Apache, the Apache feather logo, and the Apache
Sling project
Modified: websites/staging/sling/trunk/content/site/.htaccess
==============================================================================
--- websites/staging/sling/trunk/content/site/.htaccess (original)
+++ websites/staging/sling/trunk/content/site/.htaccess Mon Apr 29 14:22:42 2013
@@ -21,4 +21,5 @@ Redirect Permanent /site/adapters.html /
Redirect Permanent /site/apache-sling-commons-thread-pool.html
/documentation/bundles/apache-sling-commons-thread-pool.html
Redirect Permanent /site/apache-sling-community-roles-and-processes.html
/project-information/apache-sling-community-roles-and-processes.html
Redirect Permanent /site/authentication-actors.html
/documentation/the-sling-engine/authentication/authentication-actors.html
-Redirect Permanent /site/form-based-authenticationhandler.html
/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
\ No newline at end of file
+Redirect Permanent /site/form-based-authenticationhandler.html
/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
+Redirect Permanent /site/openid-authenticationhandler.html
/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
\ No newline at end of file
