Hi Felix, First of all, many thanks for your suggestions. Now I understand better how Sling behaves, but I still have some unclear points:
- How can I create an authenticated request? - How can I implement a login page in Sling? Should I take the provided credentials and login to a JCR Session with then, to replace the default anonymous JCR session? Kindly, Douglas On Mon, Feb 2, 2009 at 11:16, Felix Meschberger <[email protected]> wrote: > Hi Douglas, > > Douglas José schrieb: > > Hello, > > > > I would like to restrict the access to part of my Sling application. > Using > > the example of a blogging application, I want the posts to be public, but > > the post creation page to be password protected. > > I read something about configuring the "access authentication" component, > > enabling/disabling the option "allow anonymous access", but it seems to > me > > an all-or-nothing option. Is that correct? > > Yes, the "Allow Anonymous Access" switch is an all-or-nothing switch > with respect to requesting authentication. If you switch this on, no > requests will require authentication by default. And now, it gets tricky > and interesting ;-) > > Any non-authenticated request is handled in the background by an > anonymous JCR Session. If the session cannot access the requested > resource, it is not visible, hence the request will fail with a 404/NOT > FOUND. > > Based on this background you may: > > * Protected the post creation page from being accessible by > the anonymous user > * Implement a 404 error handler, which will cause the user to > provide credentials in case of anonymous requests > > Alternatively you may implement the post craetion script such, that it > checks, whether the request is actually authenticated or not and -- for > example -- redirect the request to a login page in case the request is > not authenticated. > > Hope this helps. > > Regards > Felix > > -- Douglas Jose http://douglasjose.com - "Use free software. Help us make a free world."
