On Wed, Nov 9, 2011 at 6:41 AM, Markus Joschko <[email protected]> wrote: > On Wed, Nov 9, 2011 at 3:11 PM, Felix Meschberger <[email protected]> wrote: >> Hi, >> >> Am 09.11.2011 um 12:56 schrieb Markus Joschko: >> >>> With the most recent changes (SLING-2274) I can again use the CLI >>> client over davex, >>> but only when the anonymous user is enabled. As soon as I disable it, >>> I again have the problem with the repository descriptor retrieval. >> >> Hmm, this is not how it is intended to be. The davex bundle registers a >> dummy service which instructs the Sling Authenticator to not request >> credentials if missing and thus pass through anonymously if credentials are >> not preemptively provided. > >> >> So, you should be able to do what you want. >> >> What request do you do to try to get this information (excuse my ignorance >> here ;-) ) > > I just try to connect with the standard command line utility via davex > to the repository. > > java -jar jackrabbit-standalone-2.3.1-SNAPSHOT.jar --cli > http://localhost:8080/server > > With the enabled anonymous user everything is fine and I can > logout/login with admin. > With the anonymous user disabled I still can login but I can not do > any writes as the davex layer couldn't properly detect the > capabilities of the repository.
IIUC this is because although there was a change in Jackrabbit (https://issues.apache.org/jira/browse/JCR-3076) to handle the case when the repository descriptors weren't available, it handles only 401 or 407 error codes. I haven't checked Felix's most recent changes, but last I checked, it resulted in a 403 error code. > >>> >>> However I have a customer requirement that is: Nobody should be able >>> to login in the web UI with anonymous/anonymous. >> >> Agreed. >> >>> And AFAIK that can only be achieved by disabling the anonymous user. >>> Or am I wrong? Is there another way to forbid login of the anonymous >>> user. >> >> Well, with this setting we can prevent requests without credentials to pass >> by the Sling Authenticator. But we cannot prevent someone coming with the >> anonymous credentials from logging in. This has to be configured in the >> repository IIUIC. > > Oh sorry. With "disabling the anonymous user" I do not mean the flag > on the authentication service but using the usermanager to disable the > user in the repository. That is what I do and what prevents the davex > servlet from working properly. > > That's because the request for the repository descriptors has no > credentials included. So the anonymous user is used to fetch the > descriptors. If this user is disabled, > it is no longer possible to return a meaningful result. However having > the anonymous user enabled also allows everybody to login as > anoymous/anoymous. > > The original jackrabbit davex servlet has the > init.missing-auth-mapping parameter to specify another user that can > be used in case no credentials are provided. However that does not > work with the sling authentication in place > (https://issues.apache.org/jira/browse/SLING-2256) > > Regards, > Markus > > > > >> >> Regards >> Felix >> >>> >>> Thanks, >>> Markus >> >> >
