Vidar, Thanks for the update. I think you may be thinking of an earlier implementation of Sling though?
1) In the Sling Docs, it appears authentication state is stored in a cookie or HTTP Session. " After the successful authentication of the user in phase 1, the authentication state is stored in a Cookie or an HTTP Session. The stored value is a security token with the following contents:" HmacSHA1(securetoken, <securetokennumber><expirytime>@<userID>)@<securetokennumber><expirytime>@<userID> http://sling.apache.org/site/form-based-authenticationhandler.html This is very strange to me, since Sling is supposed to be stateless, and this seems rather state-ful. 2) At the bottom of the wiki under "Complete Steps for Authenticating HTTP Requests" it makes it seem like the only thing you need to do auth a user and maintain authentication status is return a valid AuthenticationInfo object. https://cwiki.apache.org/confluence/display/SLING/User+Authentication -- David Gonzalez Sent with Sparrow (http://www.sparrowmailapp.com) On Friday, June 10, 2011 at 7:35 AM, Vidar Ramdal wrote: > 2011/6/10 David G. <[email protected] > (mailto:[email protected])>: > > Vidar, > > > > Hrm - i think i misspoke. > > > > I am trying to figure out the mechanics of > > Authentication/De-Authentication (Sign-In/Sign-Out) for web apps using > > Sling. > > > > Essentially I want to create two entry points, one that Authenticates > > the user to my web app (sign-in) and one that de-authenticates the > > user (sign-out). > > > > For sign-in i am using a custom Authentication Handler, which through > > the extractCredentials method, creates/retrieves a JCR user and > > creates an AuthenticationInfo object for said user - and returns it. > > > > I was under the impression this was enough to "authenticate" the user > > and allow a session cookie to be created, etc. (basically treat the > > user as logged in). > > > > For some reason, even when I pass back a "valid" AutheticationInfo > > object (and by valid, i mean it represents the user) from the > > AuthenticationHandler's extractcredentials my user is not recognized > > as being "signed in" by Sling (ProfileUtil.isAnonymous(slingReqest) == > > true). > > > > Im trying to figure out what the mechanics are for having Sling/JCR > > persist recognition of my user as signed in accross the life of their > > visit to the web site. > > > > Also, I am tyring to undetstand how to create a logout mechanism that > > operates in a similar fashion. > > OK, I haven't worked with the latest versions of the Auth stuff, but > I'm pretty sure you must set and parse the cookie yourself (in your > authentication handler). By default, Sling does not use sessions, so > you must pass the credentials on every request. > One way of doing it could be: > 1. The user logs in through a specially designated servlet (see > o.a.s.auth.core.impl.LoginServlet for an example). The servlet sets a > cookie containing the user's credentials (or a session ID, if you want > to implement that) > 2. On succeeding requests, your AuthenticationHandler looks for the > cookie, parses it and returns the AuthenticationInfo object > 3. On logout, another servlet is used, which deletes the cookie > > Again, I'm not totally familiar with the current state of Sling > authentication, so anybody please correct and fill in the missing > stuff. > > > -- > Vidar S. Ramdal <[email protected] (mailto:[email protected])> > Webstep AS - http://www.webstep.no > Besøksadresse: Lilleakerveien 8, 0283 Oslo > Postadresse: Postboks 66, 1324 Lysaker
