I would argue that a proper architecture would be to use the repository authentication to go directly to ldap. Since this would allow you to use the repository users for access control.
This is exactly how we integrated it in our commercial content repository [1] (which is based on jackrabbit) and I would argue that this is the only proper way of dealing with authentication in sling since this would allow the repository to reflect particularly read privileges properly for example in search results. In my mind one of the main purposes of using a content repository is to be able to ignore access control all together on the application layer. regards, david [1] http://www.day.com/crx (testdrive here: http://jcr.day.com ) On 2/21/08, Torgeir Veimo <[EMAIL PROTECTED]> wrote: > > On 21 Feb 2008, at 22:47, Vidar Ramdal wrote: > > >> On 21 Feb 2008, at 22:25, Vidar Ramdal wrote: > >>> Does anyone have a working example of configuring Sling to using an > >>> external LDAP server for authentication? > > On 2/21/08, Torgeir Veimo <[EMAIL PROTECTED]> wrote: > >> I'd assume this is sort of orthogonal to Sling at the moment? > >> > >> One option would be to employ something like Spring security or > >> SecurityFilter with an appropriate LDAP realm impl. This would make > >> sure all requests would return something sane in the > >> getUserPrincipal() and isUserInRole() calls. You could then code > >> accordingly in your Sling components. > > > > I see. But using a servlet filter would not enforce security on the > > JCR itself. Perhaps it would be easier to setup Jackrabbit with LDAP, > > and then handle authorization issues when Sling connects to > > Jackrabbit. > > > > If Jackrabbit actually supported any authorisation.. (I assume you > know it's planned for JCR 2.0, see also > https://issues.apache.org/jira/browse/JCR-1171) > . You can store ACLs as node children though (we currently do this, > but we don't enforce security through the AccessManager mechanism > provided by JCR itself but at a higher level). > > My general experience is that many application might need the concept > of ownership (eg your blog posts are only editable by you), but that > read permissions are mostly set at world-readable. The concept of > ownership would be integral to your domain model, and should probably > be enforces as part of any DAO layer. If you need anything more > advanced than that, all access to the JCR nodes should go through a > proper DAO layer, also for reading, which would sort of make it wise > to use something else than Sling. > > > -- > > Torgeir Veimo > [EMAIL PROTECTED] > > > > >
