The doc at [1] is good. The main thing to remember is the OSGi
HttpService calls handleSecurity on the HttpContext registered against
the URL. In the case of Sling, the SlingMainServlet implements
HttpContext.handleSecurity that calls the SlingAuthenticator which
then selects an AuthenticationHandler and calls authenticate.
All AuthenticationHandler.authenticate is supposed to do is to inspect
the request (cookies, URL, request parameters, post parameters), to
extract any information it can and build a set of Credentials.
These Credentials might represent an anonymous user if the request has
no tokens that represent a user, or the user in question.
So AuthenticationHandler.authenticate just creates AuthenticationInfo
from the request, it does not ask the client for anything more.
---------------------------------------
If Sling decides that the the user must login, it will call
requestAuthentication. The AuthenticationHandler implementation should
for requests that it controls, respond with a response that causes the
client to perform authentication and return true.
So in the case of a WebISO system (CAS/WebAuth/etc) it would craft a
redirect to a URL that performs authentication on the central WebISO
server. When the client comes back with the authentication payload the
AuthenticationHandler.authenticate method should pick the
authentication payload off the request, and set something to store the
fact the user authenticated.
There are good and bad options here, for instance a secure self
transforming cookie would be a good choice, a session cookie would be
an ok other than a server side Http session. The
AuthencationHandler.authenticate should also look for this cookie or
session to extract the credentials.
-----------------------------------------
Triggering authentication.
1. just go to the WebISO url with a suitable return location (as every
return url passes through the AuthenticationHandler.authenticate)
2. do something on the request that forces the redirect to happen.
Did any of that make sense ?
Ian
1 http://sling.apache.org/site/authentication.html
On 27 Oct 2009, at 20:16, D. Stuart Freeman wrote:
I'm trying to write an AuthenticationHandler for CAS, I've looked at
the
OpenID handler to get an idea of how this should work. It looks like
authenticate() gets called for every request and if it can't
authenticate
the user then requestAuthentication() gets called to prompt a
login. I
can't figure out though how to trigger the call to
requestAuthentication(), if authenticate() returns null I just get
dropped on the page I was trying to navigate to and returning
uthenticationInfo.DOING_AUTH gives me a 401 error. Am I
misunderstanding
the way AuthenticationHandlers work?
If it's any help in understanding what I'm doing wrong the basic
logic of
my handler is as follows. authenticate() checks the session to see if
the user is already logged in, if not it tries to do a CAS gatewayed
auth. If neither of those is successful it returns null.
requestAuthentication() redirects the user to the CAS login page and
returns true.
--
D. Stuart Freeman
Georgia Institute of Technology
