Am Mittwoch, den 17.10.2007, 09:39 +0200 schrieb Carsten Ziegeler: > I agree for resource and content resolution. But I'm not sure about > authentication. Having a filter which does the authentication is very > transparent. If we are using the servlet filter interface for these > filters, its easy to use other authentication mechanisms like for > example spring authentication (aka acegi) which is based on servlet > filters as well. > So for now, I personally tend to go with filters except where something > is really required for Sling core to work. There we could use an > explicit service instead.
Not sure, whether this is the level authentication we require. Sling's main purpose, which is also made strongly visible through the upcoming Resource interface, is to provide a web application front-end to JCR repositories. As such, I assume, that the JCR repository will be used for authentication and access control purposes. As such, the only moving target of authentication is the question on how to extract credential data from the request to use it as input to the JCR Repository.login method. Currently Sling has an AuthenticationFilter which makes use of AuthenticationHandler services (only HTTP Header Authentication is implemented for now) to get the credentials or request the credentials from the client. How authentication is handled in the repository is completely out-of-scope for Sling. This is why I proposed to not use a filter for authentication. Regards Felix
