hi markus (and including jackrabbit-dev as this doesn't really belong
to the sling list)
I just try to connect with the standard command line utility via davex
to the repository.
java -jar jackrabbit-standalone-2.3.1-SNAPSHOT.jar --cli
http://localhost:8080/server
With the enabled anonymous user everything is fine and I can
logout/login with admin.
With the anonymous user disabled I still can login but I can not do
any writes as the davex layer couldn't properly detect the
capabilities of the repository.
IIUC this is because although there was a change in Jackrabbit
(https://issues.apache.org/jira/browse/JCR-3076) to handle the case
when the repository descriptors weren't available, it handles only 401
or 407 error codes. I haven't checked Felix's most recent changes, but
last I checked, it resulted in a 403 error code.
Prior to JCR-3076 it was not even possible to connect to a repository
if it was protected by the sling authenticator (e.g. by a custom login
page).
The patch solves the "detection" of the repository.
The problem with the descriptors is mentioned by Jukka:
"A more complete fix would also modify the webdav server to always
allow repository descriptor report requests without authentication,
but that would require non-trivial changes to the way requests are
currently being processed in the webdav server. Doing that would allow
clients to access repository descriptors even if repository access
otherwise is blocked only to authenticated clients. Let's handle that
as a possible followup issue."
if i am not mistaken we could fix that rather easily on the
client (jcr2spi) side. currently SessionImpl#isSupportedOption
assumes that the descriptors have been successfully loaded.
i would suggest that we change that code such that it only evaluates
the descriptor if the descriptor if present and otherwise returns true.
in the latter case the fact that a given SPI implementation does not
support a given feature will only be detected upon passing the
call for processing to the SPI. this is pretty straight forward for
all the workspace operations and maybe a bit inconvenient for
Session#save. but most probably that would solve your problem.
what do you think?
angela
However I have a customer requirement that is: Nobody should be able
to login in the web UI with anonymous/anonymous.
Agreed.
And AFAIK that can only be achieved by disabling the anonymous user.
Or am I wrong? Is there another way to forbid login of the anonymous
user.
Well, with this setting we can prevent requests without credentials to pass by
the Sling Authenticator. But we cannot prevent someone coming with the
anonymous credentials from logging in. This has to be configured in the
repository IIUIC.
Oh sorry. With "disabling the anonymous user" I do not mean the flag
on the authentication service but using the usermanager to disable the
user in the repository. That is what I do and what prevents the davex
servlet from working properly.
That's because the request for the repository descriptors has no
credentials included. So the anonymous user is used to fetch the
descriptors. If this user is disabled,
it is no longer possible to return a meaningful result. However having
the anonymous user enabled also allows everybody to login as
anoymous/anoymous.
The original jackrabbit davex servlet has the
init.missing-auth-mapping parameter to specify another user that can
be used in case no credentials are provided. However that does not
work with the sling authentication in place
(https://issues.apache.org/jira/browse/SLING-2256)
Regards,
Markus
Regards
Felix
Thanks,
Markus
