On Wed, Nov 9, 2011 at 4:37 PM, Justin Edelson <[email protected]> wrote: > On Wed, Nov 9, 2011 at 6:41 AM, Markus Joschko <[email protected]> > wrote: >> On Wed, Nov 9, 2011 at 3:11 PM, Felix Meschberger <[email protected]> wrote: >>> Hi, >>> >>> Am 09.11.2011 um 12:56 schrieb Markus Joschko: >>> >>>> With the most recent changes (SLING-2274) I can again use the CLI >>>> client over davex, >>>> but only when the anonymous user is enabled. As soon as I disable it, >>>> I again have the problem with the repository descriptor retrieval. >>> >>> Hmm, this is not how it is intended to be. The davex bundle registers a >>> dummy service which instructs the Sling Authenticator to not request >>> credentials if missing and thus pass through anonymously if credentials are >>> not preemptively provided. >> >>> >>> So, you should be able to do what you want. >>> >>> What request do you do to try to get this information (excuse my ignorance >>> here ;-) ) >> >> I just try to connect with the standard command line utility via davex >> to the repository. >> >> java -jar jackrabbit-standalone-2.3.1-SNAPSHOT.jar --cli >> http://localhost:8080/server >> >> With the enabled anonymous user everything is fine and I can >> logout/login with admin. >> With the anonymous user disabled I still can login but I can not do >> any writes as the davex layer couldn't properly detect the >> capabilities of the repository. > > IIUC this is because although there was a change in Jackrabbit > (https://issues.apache.org/jira/browse/JCR-3076) to handle the case > when the repository descriptors weren't available, it handles only 401 > or 407 error codes. I haven't checked Felix's most recent changes, but > last I checked, it resulted in a 403 error code.
Prior to JCR-3076 it was not even possible to connect to a repository if it was protected by the sling authenticator (e.g. by a custom login page). The patch solves the "detection" of the repository. The problem with the descriptors is mentioned by Jukka: "A more complete fix would also modify the webdav server to always allow repository descriptor report requests without authentication, but that would require non-trivial changes to the way requests are currently being processed in the webdav server. Doing that would allow clients to access repository descriptors even if repository access otherwise is blocked only to authenticated clients. Let's handle that as a possible followup issue." > >> >>>> >>>> However I have a customer requirement that is: Nobody should be able >>>> to login in the web UI with anonymous/anonymous. >>> >>> Agreed. >>> >>>> And AFAIK that can only be achieved by disabling the anonymous user. >>>> Or am I wrong? Is there another way to forbid login of the anonymous >>>> user. >>> >>> Well, with this setting we can prevent requests without credentials to pass >>> by the Sling Authenticator. But we cannot prevent someone coming with the >>> anonymous credentials from logging in. This has to be configured in the >>> repository IIUIC. >> >> Oh sorry. With "disabling the anonymous user" I do not mean the flag >> on the authentication service but using the usermanager to disable the >> user in the repository. That is what I do and what prevents the davex >> servlet from working properly. >> >> That's because the request for the repository descriptors has no >> credentials included. So the anonymous user is used to fetch the >> descriptors. If this user is disabled, >> it is no longer possible to return a meaningful result. However having >> the anonymous user enabled also allows everybody to login as >> anoymous/anoymous. >> >> The original jackrabbit davex servlet has the >> init.missing-auth-mapping parameter to specify another user that can >> be used in case no credentials are provided. However that does not >> work with the sling authentication in place >> (https://issues.apache.org/jira/browse/SLING-2256) >> >> Regards, >> Markus >> >> >> >> >>> >>> Regards >>> Felix >>> >>>> >>>> Thanks, >>>> Markus >>> >>> >> >
