Well I gave it ago but the ServletRequest gets cast to a SlingHttpServletRequestImpl further in the chain and this class is not available to my filter when the bundle is deployed.
Scuppered at every turn :S 2009/10/14 Ben Short <[email protected]>: > Paul, > > Yes I have read this document and understand the problem.. > > So as a work around for me, without having to break the way sling > operates, is create a filter that sits first in the filter chain. It > wraps the request and response to catches the basic auth header if set > further in the filter chain. If it the basic auth header was set then > it creates a http session and adds the auth header value as a session > attribute. This results in a sesson cookie being sent to the browser. > > Next time the browser sends a request the session cookie is sent and > the session is looked up. we can then get the auth header value > session attribute and add it into our wrapped request as a header. > > So sling thinks its dealing with a request with basic auth and the > browser is dealing with session based requests. > > Its just an idea at the moment as I can't get the filter to load as yet :( > > I'd really like to use sling for my project but not being able to log > out a user in a standard way across all browsers is a bit of a > blocker. I can just imagine trying to explain to people that they need > to close the browser to log out. its not going to go down well. and > with google chrome and its multiple tabs it seems you have to close > all of them as just closing the tab dosnt clear the basic auth. > > Regards > > Ben > > 2009/10/14 Paul McMahon <[email protected]>: >> Here's an explanation of why you can't do a basic auth logout: >> >> http://httpd.apache.org/docs/1.3/howto/auth.html#basicfaq >> >> The only way I have ever seen it implemented is JavaScript that closes the >> user's browser - which of course generates a security warning and may not >> work. >> >> I have seen various ideas floated where you tie the realm you set during the >> initial authentication to a session ID and then invalidate the session ID on >> logout so that even though the browser keeps sending the basic auth header >> on the server side you check the realm against the session ID and force >> reauthentication because the session ID isn't valid. I have never seen >> anyone implement that successfully - it has all sorts of issues I could see. >> >> Paul McMahon >> >> --- On Tue, 10/13/09, Ben Short <[email protected]> wrote: >> >> From: Ben Short <[email protected]> >> Subject: Logout >> To: [email protected] >> Date: Tuesday, October 13, 2009, 2:20 PM >> >> Hi, >> >> I need to add a link that allows users to logout of my website. After >> trawling the web I haven't found a way to logout a user while using >> http basic authentication. >> >> This seems like a bit of a killer for me. Can anyone suggest how I >> might proceed? >> >> Regards >> >> Ben Short >> >> >> >> >
