Author: kwin Date: Tue Nov 3 12:55:01 2015 New Revision: 1712284 URL: http://svn.apache.org/viewvc?rev=1712284&view=rev Log: SLING-4701 clarify path matching for anonymous login configuration
Modified: sling/site/trunk/content/documentation/the-sling-engine/authentication/authentication-framework.mdtext Modified: sling/site/trunk/content/documentation/the-sling-engine/authentication/authentication-framework.mdtext URL: http://svn.apache.org/viewvc/sling/site/trunk/content/documentation/the-sling-engine/authentication/authentication-framework.mdtext?rev=1712284&r1=1712283&r2=1712284&view=diff ============================================================================== --- sling/site/trunk/content/documentation/the-sling-engine/authentication/authentication-framework.mdtext (original) +++ sling/site/trunk/content/documentation/the-sling-engine/authentication/authentication-framework.mdtext Tue Nov 3 12:55:01 2015 @@ -69,16 +69,21 @@ The `handleSecurity` method gets credent The `SlingAuthenticator` provides high level of control with respect to allowing anonymous requests or requiring authentication up front: -* Global setting of whether anonymous requests are allowed or not. This is the value of the *Allow Anonymous Access* (`auth.annonymous`) property of the `SlingAuthenticator` configuration. This property is supported for backwards compatibility and defaults to `true` (allowing anonymous access). -* Specific configuration per URL. The *Authentication Requirements* (`sling.auth.requirements`) property of the `SlingAuthenticator` configuration may provide a list of URLs for which authentication may be required or not: Any entry prefixed with a dash `-` defines a subtree for which authentication is not required. Any entry not prefixed with a dash or prefixed with a plus `+` defines a subtree for which authentication is required up front and thus anonymous access is not allowed. This list is empty by default. +* Global setting of whether anonymous requests are allowed or not. This is the boolean value of the *Allow Anonymous Access* (`auth.annonymous`) property of the `SlingAuthenticator` configuration. This property is supported for backwards compatibility and defaults to `true` (allowing anonymous access). Setting it to `true` is a shortcut for setting `sling.auth.requirements` to `-/`. +* Specific configuration per URL. The *Authentication Requirements* (`sling.auth.requirements`) property of the `SlingAuthenticator` configuration may provide a list of URLs for which authentication may be required or not: Any entry prefixed with a dash `-` defines a request path prefix for which authentication is not required. Any entry not prefixed with a dash or prefixed with a plus `+` defines a subtree for which authentication is required up front and thus anonymous access is not allowed. This list is empty by default. * Any OSGi service may provide a `sling.auth.requirements` registration property which is used to dynamically extend the authentication requirements from the *Authentication Requirements* configuration. This may for example be set by `AuthenticationHandler` implementations providing a login form to ensure access to the login form does not require authentication. The value of this property is a single string, an array of strings or a Collection of strings and is formatted in the same way as the *Authentication Requirements* configuration property. -The URLs set on the *Authentication Requirements* configuration property or the `sling.auth.requirements` service registration property can be absolute paths or URLs like the `path` service registration property of `AuthenticationHandler` services. This allows the limitation of this setup to certain requests by scheme and/or virtual host address. +The values set on the *Authentication Requirements* configuration property or the `sling.auth.requirements` service registration property can be absolute paths or URLs like the `path` service registration property of `AuthenticationHandler` services. This allows the limitation of this setup to certain requests by scheme and/or virtual host address. The requests path (`HttpServletRequest.getServletPath()` + `HttpServletRequest.getPathInfo()`) is afterwards matched against the given paths. It matches if it starts with one of the given paths. **Examples** -* The `LoginServlet` contained in the Sling Auth Core bundle registers itself with the service registration property `sling.auth.requirements = "-/system/sling/login"` to ensure the servlet can be accessed without requiring authentication. +* The `LoginServlet` contained in the Sling Auth Core bundle registers itself with the service registration property `sling.auth.requirements = "-/system/sling/login"` to ensure the servlet can be accessed without requiring authentication. The following request urls would work then without authentication: + + * /system/sling/login + * /system/sling/login.html + * /system/sling/login/somesuffix + * /system/sling/login-test (if this is not desired, you have to use a restriction like this: `sling.auth.requirements = "-/system/sling/login"`) * An authentication handler may register itself with the service registration property `sling.auth.requirements = "-/apps/sample/loginform"` to ensure the login form can be rendered without requiring authentication.