I must be missing something here. Is the use case for this non-JCR ResourceResolverFactory implementations? Because for a JCR-backed ResourceResolverFactory, you still need to log into the repository with credentials. In the case of an external data source, this means writing a LoginModulePlugin, no?
On Jul 9, 2010, at 8:37 AM, Mike Müller (JIRA) <[email protected]> wrote: > > [ > https://issues.apache.org/jira/browse/SLING-1593?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12886707#action_12886707 > ] > > Mike Müller commented on SLING-1593: > ------------------------------------ > > I try to be more clear: > The new CredentialValidator interface makes it possible to validate the > credentials (extracted by one of the AuthenticationHandler implementations) > against any data respository. By now this is a SlingAuthenticator built-in > task. So on one hand you can argue that a Sling applications just can make > it's own Authenticator implementation - which is true - and therefore Sling > is already decoupled from the JCR. But on the other hand, if the goal is only > to validate the credentials against another data respoitory the > CredentialValidator interface is much more advantageous. Probably the > CredentialValidator interface should be placed in the commons.auth.spi > package to retain the API as clean as possible. So what the proposal really > is about, is to let an application use a SPI to validate the credentials. > And also, as Ian mentioned, there's no need to add a LoginModulePlugin > anymore. > It is also clear that this change only makes sense in conjunction with > SLING-1262. > >> Decouple authentication mechanism from JCR >> ------------------------------------------ >> >> Key: SLING-1593 >> URL: https://issues.apache.org/jira/browse/SLING-1593 >> Project: Sling >> Issue Type: Improvement >> Components: API, Commons >> Reporter: Mike Müller >> >> Felix made a good proposal how to decouple the authentication mechanism from >> JCR at [1] after the discussion at [2]. The remaining issue there was how to >> ensure JCR sessions which are placed into AuthenticationInfo be closed. To >> solve that issue we now can use the new SlingRequestListener [3]. >> [1] https://cwiki.apache.org/SLING/user-authentication.html >> [2] http://markmail.org/message/aovh7lll4w6uwepv >> [3] https://issues.apache.org/jira/browse/SLING-1576 > > -- > This message is automatically generated by JIRA. > - > You can reply to this email to add a comment to the issue online. >
