[
https://issues.apache.org/jira/browse/SLING-1383?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger updated SLING-1383:
-------------------------------------
Attachment: SLING-1383.patch
Proposed patch migrating the HTTP Basic Authentication Handler to the Commons
Auth bundle to provide HTTP Basic Authentication out of the box.
This support is used as a fall back if no other handler takes control and can
also be switched off to prevent HTTP Basic Authentication completely.
One use case of this out-of-the-box handler might be REST applications talking
directly to Sling and providing HTTP Basic Credentials pre-emptively.
This handler replaces the existing HTTP Basic authentication handler of the
extensions/httpauth project, though this handler has one important difference:
The new handler does not support login forms while the old one does (yet, login
forms proved to be brittle with the advent of the WebKit based Safari and
Chrome browsers).
Comments ?
> Provide out-of-the-box HTTP Basic authentication handler in the Commons Auth
> bundle
> -----------------------------------------------------------------------------------
>
> Key: SLING-1383
> URL: https://issues.apache.org/jira/browse/SLING-1383
> Project: Sling
> Issue Type: Improvement
> Components: Commons
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Commons Auth 1.0.0
>
> Attachments: SLING-1383.patch
>
>
> As discussed in http://markmail.org/thread/kyy25qmfus66son3 the existing HTTP
> Basic authentication handler should be merged into the Commons Auth bundle
> with the following simplifications:
> * Form support is dropped entirely
> * extractCredentials will always be enabled to support pre-emptive
> authentication (e.g. for HTTP Client applications)
> * requestCredentials disabled by default, may be enabled by configuration
> * dropCredentials disabled by defualt, may be configured to send 401 by
> configuration
> Note on Form support: I turns out, that form support is very complicated for
> the Internet Explorer and Firefox class browsers and impossible to support
> for WebKit class browsers like Chrome and Safari. So instead of further
> maintaining a complicated codebase with lots of special cases, it is better
> to support the basic case of simple HTTP Basic authentication out of the box
> and to do form based authentication right (as with the Form Based
> Authenticationhandler).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
