Author: kwin
Date: Tue Nov 3 12:55:01 2015
New Revision: 1712284
URL: http://svn.apache.org/viewvc?rev=1712284&view=rev
Log:
SLING-4701 clarify path matching for anonymous login configuration
Modified:
sling/site/trunk/content/documentation/the-sling-engine/authentication/authentication-framework.mdtext
Modified:
sling/site/trunk/content/documentation/the-sling-engine/authentication/authentication-framework.mdtext
URL:
http://svn.apache.org/viewvc/sling/site/trunk/content/documentation/the-sling-engine/authentication/authentication-framework.mdtext?rev=1712284&r1=1712283&r2=1712284&view=diff
==============================================================================
---
sling/site/trunk/content/documentation/the-sling-engine/authentication/authentication-framework.mdtext
(original)
+++
sling/site/trunk/content/documentation/the-sling-engine/authentication/authentication-framework.mdtext
Tue Nov 3 12:55:01 2015
@@ -69,16 +69,21 @@ The `handleSecurity` method gets credent
The `SlingAuthenticator` provides high level of control with respect to
allowing anonymous requests or requiring authentication up front:
-* Global setting of whether anonymous requests are allowed or not. This is the
value of the *Allow Anonymous Access* (`auth.annonymous`) property of the
`SlingAuthenticator` configuration. This property is supported for backwards
compatibility and defaults to `true` (allowing anonymous access).
-* Specific configuration per URL. The *Authentication Requirements*
(`sling.auth.requirements`) property of the `SlingAuthenticator` configuration
may provide a list of URLs for which authentication may be required or not: Any
entry prefixed with a dash `-` defines a subtree for which authentication is
not required. Any entry not prefixed with a dash or prefixed with a plus `+`
defines a subtree for which authentication is required up front and thus
anonymous access is not allowed. This list is empty by default.
+* Global setting of whether anonymous requests are allowed or not. This is the
boolean value of the *Allow Anonymous Access* (`auth.annonymous`) property of
the `SlingAuthenticator` configuration. This property is supported for
backwards compatibility and defaults to `true` (allowing anonymous access).
Setting it to `true` is a shortcut for setting `sling.auth.requirements` to
`-/`.
+* Specific configuration per URL. The *Authentication Requirements*
(`sling.auth.requirements`) property of the `SlingAuthenticator` configuration
may provide a list of URLs for which authentication may be required or not: Any
entry prefixed with a dash `-` defines a request path prefix for which
authentication is not required. Any entry not prefixed with a dash or prefixed
with a plus `+` defines a subtree for which authentication is required up front
and thus anonymous access is not allowed. This list is empty by default.
* Any OSGi service may provide a `sling.auth.requirements` registration
property which is used to dynamically extend the authentication requirements
from the *Authentication Requirements* configuration. This may for example be
set by `AuthenticationHandler` implementations providing a login form to ensure
access to the login form does not require authentication. The value of this
property is a single string, an array of strings or a Collection of strings and
is formatted in the same way as the *Authentication Requirements* configuration
property.
-The URLs set on the *Authentication Requirements* configuration property or
the `sling.auth.requirements` service registration property can be absolute
paths or URLs like the `path` service registration property of
`AuthenticationHandler` services. This allows the limitation of this setup to
certain requests by scheme and/or virtual host address.
+The values set on the *Authentication Requirements* configuration property or
the `sling.auth.requirements` service registration property can be absolute
paths or URLs like the `path` service registration property of
`AuthenticationHandler` services. This allows the limitation of this setup to
certain requests by scheme and/or virtual host address. The requests path
(`HttpServletRequest.getServletPath()` + `HttpServletRequest.getPathInfo()`) is
afterwards matched against the given paths. It matches if it starts with one of
the given paths.
**Examples**
-* The `LoginServlet` contained in the Sling Auth Core bundle registers itself
with the service registration property `sling.auth.requirements =
"-/system/sling/login"` to ensure the servlet can be accessed without requiring
authentication.
+* The `LoginServlet` contained in the Sling Auth Core bundle registers itself
with the service registration property `sling.auth.requirements =
"-/system/sling/login"` to ensure the servlet can be accessed without requiring
authentication. The following request urls would work then without
authentication:
+
+ * /system/sling/login
+ * /system/sling/login.html
+ * /system/sling/login/somesuffix
+ * /system/sling/login-test (if this is not desired, you have to use a
restriction like this: `sling.auth.requirements = "-/system/sling/login"`)
* An authentication handler may register itself with the service registration
property `sling.auth.requirements = "-/apps/sample/loginform"` to ensure the
login form can be rendered without requiring authentication.
