Hi, On 04.02.2010 10:58, Ian Boston wrote: > > On 4 Feb 2010, at 09:51, Felix Meschberger wrote: > >> Hi all, >> >> While working on some authentication handler stuff (integration Eric's >> work and brushing up the OpenID handler), I started wondering, whether >> we should not integrate a bare HTTP Basic Authentication handler into >> the Sling Commons Auth bundle. >> >> By "bare" I mean, just support for sending 401 status back to the >> client, not thrilling form support or such. Very simple: >> >> - extractCredentials: reads Authentication header if existing >> - requestCredentials: sends 401 status >> - dropCredentials: does nothing or also sends 401 status >> >> This handler would not be registered as a service but directly known to >> the SlingAuthenticator class, which ensures this handler is always asked >> as a last resort. >> >> As a consequence we could fade out support for the existing httpauth >> bundle, since we would then have regular HTTP Basic auth in commons auth >> and form based support in the new cookieauth handler and of course even >> cooler stuff in the openid handler. >> >> WDYT ? > > Would there be a configuration script to disable, I can imagine situations > where there is a SSO solution and deployers positively want to disable basic > auth, perhaps because they have Kerberos deployed or because of local policy > and not entering passwords into anything other than the official SSO authN > interface. Some Universities have policies like this.
Yes, there will be a configuration switch of some sorts to disable this. Regards Felix > > Ian > >> >> Regards >> Felix > >
