[jira] Commented: (SLING-327) SingAuthenticator: improve Repository sanity check

Fri, 14 Mar 2008 00:03:04 -0700 

    [ 
https://issues.apache.org/jira/browse/SLING-327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12578625#action_12578625
 ] 

Felix Meschberger commented on SLING-327:
-----------------------------------------

I agree, that showing a login box when anonymous login is actually allowed is a 
bad thing - the intent is to send a UNAVAILABLE.

So rather than trying to login as admin we should find out, what is going on in 
certain situations when login is not possible ... Looking at the 
SlingAuthenticator.getAnonymousSession, the solution is quite clear: This 
method catches and logs exceptions but then fallsback to requesting 
authentication. This is probably not really the best of all known solutions. 
The real solution would probably be to act in the same way as when trying to 
normally login:

    * request authentication on LoginException
    * send 503/SERVICE UNAVAILABLE on TooManySessionsException
    * send 500/INTERNAL SERVER ERROR on RepositoryException

Also, I think creating an admin session on each request is quite hefty (but 
yes, Sling basically assumes admin access works).

> SingAuthenticator: improve Repository sanity check
> --------------------------------------------------
>
>                 Key: SLING-327
>                 URL: https://issues.apache.org/jira/browse/SLING-327
>             Project: Sling
>          Issue Type: Improvement
>            Reporter: Bertrand Delacretaz
>            Priority: Minor
>         Attachments: SLING-327.patch
>
>
> Currently the SlingAuthenticator sometimes behaves in funny ways if the 
> Repository is not available, or not accepting logins for some reason. If 
> anonymous access is allowed, for example, a login box might appear if the 
> repository becomes unavailable, which makes things confusing.
> The attached patch improves the situation by verifying that an admin session 
> can be obtained from the Repository, and throws MissingRepositoryException if 
> not.
> This should allow better handling of Repository problems in higher 
> application layers.
> I'm not sure about all the implications - can we assume that an admin session 
> is required for things to work?
> Please review the patch before I apply it, or feel free to apply it, as I'll 
> be mostly offline until after Easter

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to