Hi Angela, seems fine to me. All my headaches are caused by request from the client where I can not pass credentials. If this is skipped, I am fine.
Regards, Markus On Thu, Nov 10, 2011 at 9:03 AM, Angela Schreiber <[email protected]> wrote: > hi markus (and including jackrabbit-dev as this doesn't really belong to > the sling list) > >>>> I just try to connect with the standard command line utility via davex >>>> to the repository. >>>> >>>> java -jar jackrabbit-standalone-2.3.1-SNAPSHOT.jar --cli >>>> http://localhost:8080/server >>>> >>>> With the enabled anonymous user everything is fine and I can >>>> logout/login with admin. >>>> With the anonymous user disabled I still can login but I can not do >>>> any writes as the davex layer couldn't properly detect the >>>> capabilities of the repository. >>> >>> IIUC this is because although there was a change in Jackrabbit >>> (https://issues.apache.org/jira/browse/JCR-3076) to handle the case >>> when the repository descriptors weren't available, it handles only 401 >>> or 407 error codes. I haven't checked Felix's most recent changes, but >>> last I checked, it resulted in a 403 error code. >> >> Prior to JCR-3076 it was not even possible to connect to a repository >> if it was protected by the sling authenticator (e.g. by a custom login >> page). >> The patch solves the "detection" of the repository. >> >> The problem with the descriptors is mentioned by Jukka: >> "A more complete fix would also modify the webdav server to always >> allow repository descriptor report requests without authentication, >> but that would require non-trivial changes to the way requests are >> currently being processed in the webdav server. Doing that would allow >> clients to access repository descriptors even if repository access >> otherwise is blocked only to authenticated clients. Let's handle that >> as a possible followup issue." > > if i am not mistaken we could fix that rather easily on the > client (jcr2spi) side. currently SessionImpl#isSupportedOption > assumes that the descriptors have been successfully loaded. > > i would suggest that we change that code such that it only evaluates > the descriptor if the descriptor if present and otherwise returns true. > in the latter case the fact that a given SPI implementation does not > support a given feature will only be detected upon passing the > call for processing to the SPI. this is pretty straight forward for > all the workspace operations and maybe a bit inconvenient for Session#save. > but most probably that would solve your problem. > > what do you think? > angela > > >> >>> >>>> >>>>>> >>>>>> However I have a customer requirement that is: Nobody should be able >>>>>> to login in the web UI with anonymous/anonymous. >>>>> >>>>> Agreed. >>>>> >>>>>> And AFAIK that can only be achieved by disabling the anonymous user. >>>>>> Or am I wrong? Is there another way to forbid login of the anonymous >>>>>> user. >>>>> >>>>> Well, with this setting we can prevent requests without credentials to >>>>> pass by the Sling Authenticator. But we cannot prevent someone coming with >>>>> the anonymous credentials from logging in. This has to be configured in >>>>> the >>>>> repository IIUIC. >>>> >>>> Oh sorry. With "disabling the anonymous user" I do not mean the flag >>>> on the authentication service but using the usermanager to disable the >>>> user in the repository. That is what I do and what prevents the davex >>>> servlet from working properly. >>>> >>>> That's because the request for the repository descriptors has no >>>> credentials included. So the anonymous user is used to fetch the >>>> descriptors. If this user is disabled, >>>> it is no longer possible to return a meaningful result. However having >>>> the anonymous user enabled also allows everybody to login as >>>> anoymous/anoymous. >>>> >>>> The original jackrabbit davex servlet has the >>>> init.missing-auth-mapping parameter to specify another user that can >>>> be used in case no credentials are provided. However that does not >>>> work with the sling authentication in place >>>> (https://issues.apache.org/jira/browse/SLING-2256) >>>> >>>> Regards, >>>> Markus >>>> >>>> >>>> >>>> >>>>> >>>>> Regards >>>>> Felix >>>>> >>>>>> >>>>>> Thanks, >>>>>> Markus >>>>> >>>>> >>>> >>> >
