Hi, Bertrand Delacretaz schrieb: > On Mon, Feb 2, 2009 at 1:40 PM, Felix Meschberger <[email protected]> wrote: > >> Douglas José schrieb: > ... >>> - How can I create an authenticated request? > ... >> One solution I could imagine is, that we define a new exception >> (say o.a.s.engine.auth.AuthenticationRequiredException), which then >> causes the Sling main servlet to call into the above mentioned API. Thus >> your error handler or rendering script could just throw this exception >> and be assured, the user is asked for authentication.... > > Thinking as if I knew nothing about Sling internals, the least > surprising way to handle this would be:
The problem is step 3 below... > > 1. Resource /foo exists but is not accessible to the anonymous user, > due to JCR repository security settings > > 2. Client makes a non-authenticated request to /foo > > 3. Sling notices the missing authentication, and sends a response that > causes authentication (401 status, or login form if one is provided in > the application). Maybe Sling provides an extension point where > application code can decide how to perform this authentication, > instead of having hardcoded rules. Initially we had this but decided to go the route of "what is not allowed to be accessed should be treated as if it would not be there". Hence the 404/NOT FOUND I mentioned earlier. Next point is, that we in fact have the mechanism in place to decide which authentication mechanism to select for which request. This is built into the SlingAuthenticator and makes use of the AuthenticationHandler.requestAuthentication method. The problem here is, how to trigger the SlingAuthenticator to select an appropriate AuthenticationHandler whose requestAuthentication method can be called. > > 4. Client provides authentication credentials and requests /foo again, > which works now > > Assuming we agree on this scenario, what do we need to change to implement it? We cannot implement this as you propose, since it is not designed that way. Therefore, I think, the only solution is to find a mechanism to trigger this requestAuthentication call. In fact, having a well-defined trigger mechanism may also implement your proposal of step 3: In the 404/NOT FOUND handler, the mechanism is simply triggered. Regards Felix
