Theoretically, the httpauth bundle does slightly more than the default handler in commons.auth. Namely, it can serve a form.
That said (which isn't actually saying much), I'd be +1 on dropping httpauth. I think formauth has matured so that we should use that as the default. If someone wants/needs to add Digest support to the httpauth bundle, that'd be a different story. Justin On 7/2/10 1:43 PM, Ray Davis wrote: > If the httpauth bundle *is* still needed, then it might need revision, > as it appears to interpret the "sling:authRequestLogin" request > parameter in a way that conflicts with other authentication handlers. > > The request parameter "sling:authRequestLogin" is currently documented > as a way to select which AuthenticationHandler receives a > requestCredentials call. The OpenID authentication handler uses it in > this fashion. > > However, httpauth's AuthorizationHeaderAuthenticationHandler uses it in > another way. If "sling:authRequestLogin" is any non-null value, then its > extractCredentials method requests basic authentication and returns > "AuthenticationInfo.DOING_AUTH". Since extractCredentials calls occur > first, this effectively blocks the requestCredentials logic. > > For example, using a current build of Sling trunk, with my only change > being to open "/system/sling/openid/login" to anonymous access, I find > that immediately after I submit the OpenID login form, I receive a basic > authentication prompt from the browser. Only after I stop the > org.apache.sling.httpauth bundle can OpenID authentication proceed as > documented. > > What's the recommendation here? > > Thanks, > Ray > > On 7/2/10 9:45 AM, Ian Boston wrote: >> Hi >> >> I notice that the extension http auth bundle is still in list.xml, >> however the Authentication hander does http basic by default if all >> else fails ? >> are both still needed ? >> >> Ian >> >>
