Hi Douglas, Douglas José schrieb: > Hi Felix, > > First of all, many thanks for your suggestions. Now I understand better how > Sling behaves, but I still have some unclear points: > > - How can I create an authenticated request?
It seems like you stumbled up an issue, which has not been handled yet ;-) Internally we have an API to request authentication for a request. This functionality selects the appropriate authentication handler for the request (according to the requested resource), which in turn then acts correctly, be it by just sending a 401/UNAUTHORIZED reply or by presenting a login form. Unfortunately this API cannot be triggered from the outside. One solution I could imagine is, that we define a new exception (say o.a.s.engine.auth.AuthenticationRequiredException), which then causes the Sling main servlet to call into the above mentioned API. Thus your error handler or rendering script could just throw this exception and be assured, the user is asked for authentication. > - How can I implement a login page in Sling? Should I take the provided > credentials and login to a JCR Session with then, to replace the default > anonymous JCR session? The login mechanism depends on the authentication handler used. This may be as simple as sending a 401/UNAUTHORIZED reply or as complicated as initiating some SSO or OpenID interactions. By providing a way to have the Sling Engine cause the authentication request to be sent, you as an application programmer are relieved from actually creating login forms as such. WDYT ? Regards Felix > > Kindly, > > Douglas > > On Mon, Feb 2, 2009 at 11:16, Felix Meschberger <[email protected]> wrote: > >> Hi Douglas, >> >> Douglas José schrieb: >>> Hello, >>> >>> I would like to restrict the access to part of my Sling application. >> Using >>> the example of a blogging application, I want the posts to be public, but >>> the post creation page to be password protected. >>> I read something about configuring the "access authentication" component, >>> enabling/disabling the option "allow anonymous access", but it seems to >> me >>> an all-or-nothing option. Is that correct? >> Yes, the "Allow Anonymous Access" switch is an all-or-nothing switch >> with respect to requesting authentication. If you switch this on, no >> requests will require authentication by default. And now, it gets tricky >> and interesting ;-) >> >> Any non-authenticated request is handled in the background by an >> anonymous JCR Session. If the session cannot access the requested >> resource, it is not visible, hence the request will fail with a 404/NOT >> FOUND. >> >> Based on this background you may: >> >> * Protected the post creation page from being accessible by >> the anonymous user >> * Implement a 404 error handler, which will cause the user to >> provide credentials in case of anonymous requests >> >> Alternatively you may implement the post craetion script such, that it >> checks, whether the request is actually authenticated or not and -- for >> example -- redirect the request to a login page in case the request is >> not authenticated. >> >> Hope this helps. >> >> Regards >> Felix >> >> > >
