Hi, I think we are operating in the context of Sling and so we should use a single and consolidated authentication mechanism instead of spreading the mechanisms all over. This is what the Sling authenticator has been designed for after all.
Thus the "missing-auth-mapping" will not have any influence here. So, the way to the solution really is SLING-2274 and ensuring the DavEx servlet URL space is never forcibly authenticated but once credentials are provided, those should be used. Regards Felix Am 09.11.2011 um 01:03 schrieb Tobias Bocanegra: > > On Nov 9, 2011, at 00:59 , Justin Edelson wrote: > >> It seems pretty clear that we need to allow anonymous access to the >> DavEx servlet even if anonymous access is prohibited in the >> Authenticator configuration. Created >> https://issues.apache.org/jira/browse/SLING-2274 for that. > thanks. > > i would even go so far and not use the sling authenticator at all, and just > use the webdav servlet as is. > regards, toby > > >> >> Justin >> >> On Tue, Nov 8, 2011 at 1:51 PM, Tobias Bocanegra <[email protected]> wrote: >>> hi, >>> it actually depends on the missing-auth-mapping, in the jackrabbit web app >>> it worked like this: >>> >>> missing-auth-mapping = "" [which is different from param missing] >>> >>> 1) user with full read access >>> ------------------------------------------------------------------------ >>> >>> GET >>> http://localhost:8080/crx/server >>> >>> -> 200 : list of child resources (workspace resources) >>> >>> GET >>> http://localhost:8080/crx/server/crx.default >>> >>> -> 200 : list of child resources (root node) >>> >>> GET >>> http://localhost:8080/crx/server/crx.default/jcr:root >>> >>> -> 200 : serialization of root node >>> >>> >>> 2) unauthenticated (where everyone has no read permission on /) >>> ------------------------------------------------------------------------ >>> >>> GET >>> http://localhost:8080/crx/server >>> >>> -> 200 : list of child resources (workspace resources) >>> >>> GET >>> http://localhost:8080/crx/server/crx.default >>> >>> -> 200 : list of child resources (empty in this case) >>> >>> GET >>> http://localhost:8080/crx/server/crx.default/jcr:root >>> >>> -> 404 : due to the fact that anonymous/unauthenticated user >>> has no read permission and with the missing-auth-config >>> specified above preemtive auth is expected. >>> >>> regards, toby >>> >>> On Nov 8, 2011, at 22:30 , Felix Meschberger wrote: >>> >>>> Hi, >>>> >>>> If I read the code correctly, it looks like out of the box the >>>> JackrabbitWebdavServerServlet does HTTP Basic authentication provided the >>>> client provides it but a 401/UNAUTHORIZED response is never sent. Thus >>>> authentication seems to be assumed "preemptive". >>>> >>>> I think this case rolling back the SLING-2167 changes and thus not using >>>> the Sling authenticator might be an ok solution. >>>> >>>> WDYT ? >>>> >>>> Regards >>>> Felix >>>> >>>> Am 08.11.2011 um 20:39 schrieb Carsten Ziegeler (Reopened) (JIRA): >>>> >>>>> >>>>> [ >>>>> https://issues.apache.org/jira/browse/SLING-2167?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel >>>>> ] >>>>> >>>>> Carsten Ziegeler reopened SLING-2167: >>>>> ------------------------------------- >>>>> >>>>> >>>>> No I don't agree - davex might be used by applications running in the >>>>> browser. >>>>> In these cases the auth must be shared between the application which is >>>>> provided by html and davex >>>>> >>>>>> Use Sling Authenticator >>>>>> ----------------------- >>>>>> >>>>>> Key: SLING-2167 >>>>>> URL: https://issues.apache.org/jira/browse/SLING-2167 >>>>>> Project: Sling >>>>>> Issue Type: Improvement >>>>>> Components: JCR >>>>>> Affects Versions: JCR DavEx 1.0.0 >>>>>> Reporter: Carsten Ziegeler >>>>>> Assignee: Carsten Ziegeler >>>>>> Fix For: JCR DavEx 1.1.0 >>>>>> >>>>>> >>>>>> The davex support should use the SlingAuthenticator for better >>>>>> integration into the Sling authentication >>>>> >>>>> -- >>>>> This message is automatically generated by JIRA. >>>>> If you think it was sent incorrectly, please contact your JIRA >>>>> administrators: >>>>> https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa >>>>> For more information on JIRA, see: http://www.atlassian.com/software/jira >>>>> >>>>> >>>> >>> >>> >
