On Mon, Feb 2, 2009 at 1:40 PM, Felix Meschberger <[email protected]> wrote:
> Douglas José schrieb: ... >> - How can I create an authenticated request? ... > One solution I could imagine is, that we define a new exception > (say o.a.s.engine.auth.AuthenticationRequiredException), which then > causes the Sling main servlet to call into the above mentioned API. Thus > your error handler or rendering script could just throw this exception > and be assured, the user is asked for authentication.... Thinking as if I knew nothing about Sling internals, the least surprising way to handle this would be: 1. Resource /foo exists but is not accessible to the anonymous user, due to JCR repository security settings 2. Client makes a non-authenticated request to /foo 3. Sling notices the missing authentication, and sends a response that causes authentication (401 status, or login form if one is provided in the application). Maybe Sling provides an extension point where application code can decide how to perform this authentication, instead of having hardcoded rules. 4. Client provides authentication credentials and requests /foo again, which works now Assuming we agree on this scenario, what do we need to change to implement it? -Bertrand
