Hi, Carsten Ziegeler schrieb: > I like the proposal :)
Thanks ;-) > I've a few comments. I think we don't need constants for workspace or > session for the login stuff. At least the workspace should/could be > a configuration of the jcr resource resolver factory. One the one hand, this is true, yes. On the other hand considering, that we might want to provide access to different workspaces (or even repositories ?) depending on the actual request, we probably need such runtime indication in the credentials. Adding the session is an approach to convert smoothly from today's JcrResourceResolverFactory taking a Session to the new ResourceResolverFactory with ResourceProviderFactory. Of course, we do not need a constant for this and could treat this as an implementation detail of the backwards-compatible JcrResourceResolverFactory implementation and the new JcrResourceProviderFactory implementation. > > The other thing is that I'm a little bit unsure how login really should > work. I think we should not login into all providers upfront. Let's say > if a provider is responsible for /a but this path is never accessed by > the user, it doesn't matter if the user is able to login into this > provider or not. So we need some kind of lazy login I guess (but this > might make exception handling or the case if a login fails more > complicated) Whether a ResourceProviderFactory logs in upfront or on-demand is probably an implementation detail. On the other hand considering, that we might want to use ResourceProviderFactory "login" as a means to authenticate the request as a whole, at least one ResourceProviderFactory must log in upfront to be able to do so. > > I could also imagine some kind of sso - so this might be a little bit > misleading term here. There is a master provider, let's say jcr. This > one might be able to add login credentials used by the other providers > to login. Perhaps we could add some plugin mechanism here to add > credentials based on a successful login into one provider? I haven't > thought this through yet, these are just my first unsorted comments :) So a ResourceProviderFactory would "enhance" the credentials with - say - a JCR Session, which may be used by other ResourceProviderFactory instances to short cut login ? Sounds reasonable. Not sure, whether we have to "codify" this ? Regards Felix
