[
https://issues.apache.org/jira/browse/JCR-3222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13194699#comment-13194699
]
Felix Meschberger commented on JCR-3222:
----------------------------------------
> That's what the HttpContext.handleSecurity() method does, right? It's needs
> to be able to take over the entire processing of a request.
No, this is called by the Http Service before calling the servlet. The
handleSecurity method either returns true in which case the servlet is called
or false in which case the request is terminated and the servlet is not called.
The handleSecurity method must set up to three request attributes which are
used to implement HttpServletRequest methods (getRemoteUser, getAuthType,
getUserPrincipal). In addition the Sling implementation could provide the
ResourceResolver (what we do in the Sling DavEx bundle.
The handleSecurity method could of course set the SessionProvider, too. But I
don't like this -- special case handling affecting all but used by one only.
In addtion: unless you will be implementing a special proxy SessionProvider
looking for the actual provider on each request, the getSessionProvider()
method is AFAICT only called once no matter how many different SessionProviders
are found in the request attributes... The SessionProvider is not something
request specific but something setup specific. Hence a service and not request
attribute.
> Allow servlet filters to specify custom session providers
> ---------------------------------------------------------
>
> Key: JCR-3222
> URL: https://issues.apache.org/jira/browse/JCR-3222
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-jcr-server
> Reporter: Jukka Zitting
> Priority: Minor
> Attachments: JCR-3222-fmeschbe.patch,
> jackrabbit-jcr-server-2.6-SNAPSHOT.jar
>
>
> In order to integrate the Jackrabbit davex server functionality with their
> custom authentication logic, the Sling project currently needs to embed and
> subclass the davex servlet classes. It would be cleaner if such tight
> coupling wasn't needed.
> One way to achieve something like that would be to allow external components
> to provide a custom SessionProvider instance as an extra request attribute.
> This way for example a servlet filter that implements such custom
> authentication logic could easily make its functionality available to the
> standard davex servlet in Jackrabbit.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
