Hi,
an alternative to a trusted credentials mechanism is
1. to use loginByService in the authentication handler itself
2. impersonate to the desired user (and have a service user mapping that allows
the necessary impersonations)
3. put the resulting jcr session as "user.jcr.session" [0] into the AuthInfo to
use that session for the resource resolver
4. make sure the session gets closed at the end of the request
Point 4 is currently not possible - if "user.jcr.session" is used, the resource
resolver / jcr resource provider will assume the session is managed by the
callee, and not automatically log out of the session once the resource resolver
is closed.
However, there is no way for an authentication handler to react to the end of
the request or closure of the resource resolver. Unless it provides a servlet
filter, which would be total overkill to do so.
Proposal:
Add a new flag "user.jcr.session.logout" = true in which case the session
will be logged out automatically as done in all other cases.
The code change would be simple:
a. add new constant to JcrResourceConstants for the "user.jcr.session.logout"
value
b. in JcrResourceProviderFactory#getResourceProviderInternal() [1] in the last
else cases, don't set logoutSession to false if this new flag is set on the
AuthInfo
WDYT? I could really use this now, at least before SLING-3179 reintroduces a
way to do trusted credentials (although I prefer the loginByService approach).
[0]
http://sling.apache.org/apidocs/sling6/org/apache/sling/jcr/resource/JcrResourceConstants.html#AUTHENTICATION_INFO_SESSION
[1]
http://svn.apache.org/repos/asf/sling/trunk/bundles/jcr/resource/src/main/java/org/apache/sling/jcr/resource/internal/helper/jcr/JcrResourceProviderFactory.java
Cheers,
Alex
