Hi all, just as a follow up on this issue: With the updated descriptor evaluation (JCR-3143) I have no issues any longer with the davex servlet and the sling authentication.
Thanks for following up on this one. Regards, Markus On Thu, Nov 10, 2011 at 10:26 AM, Markus Joschko <[email protected]> wrote: > Hi Angela, > seems fine to me. All my headaches are caused by request from the > client where I can not pass credentials. > If this is skipped, I am fine. > > Regards, > Markus > > On Thu, Nov 10, 2011 at 9:03 AM, Angela Schreiber <[email protected]> wrote: >> hi markus (and including jackrabbit-dev as this doesn't really belong to >> the sling list) >> >>>>> I just try to connect with the standard command line utility via davex >>>>> to the repository. >>>>> >>>>> java -jar jackrabbit-standalone-2.3.1-SNAPSHOT.jar --cli >>>>> http://localhost:8080/server >>>>> >>>>> With the enabled anonymous user everything is fine and I can >>>>> logout/login with admin. >>>>> With the anonymous user disabled I still can login but I can not do >>>>> any writes as the davex layer couldn't properly detect the >>>>> capabilities of the repository. >>>> >>>> IIUC this is because although there was a change in Jackrabbit >>>> (https://issues.apache.org/jira/browse/JCR-3076) to handle the case >>>> when the repository descriptors weren't available, it handles only 401 >>>> or 407 error codes. I haven't checked Felix's most recent changes, but >>>> last I checked, it resulted in a 403 error code. >>> >>> Prior to JCR-3076 it was not even possible to connect to a repository >>> if it was protected by the sling authenticator (e.g. by a custom login >>> page). >>> The patch solves the "detection" of the repository. >>> >>> The problem with the descriptors is mentioned by Jukka: >>> "A more complete fix would also modify the webdav server to always >>> allow repository descriptor report requests without authentication, >>> but that would require non-trivial changes to the way requests are >>> currently being processed in the webdav server. Doing that would allow >>> clients to access repository descriptors even if repository access >>> otherwise is blocked only to authenticated clients. Let's handle that >>> as a possible followup issue." >> >> if i am not mistaken we could fix that rather easily on the >> client (jcr2spi) side. currently SessionImpl#isSupportedOption >> assumes that the descriptors have been successfully loaded. >> >> i would suggest that we change that code such that it only evaluates >> the descriptor if the descriptor if present and otherwise returns true. >> in the latter case the fact that a given SPI implementation does not >> support a given feature will only be detected upon passing the >> call for processing to the SPI. this is pretty straight forward for >> all the workspace operations and maybe a bit inconvenient for Session#save. >> but most probably that would solve your problem. >> >> what do you think? >> angela >> >> >>> >>>> >>>>> >>>>>>> >>>>>>> However I have a customer requirement that is: Nobody should be able >>>>>>> to login in the web UI with anonymous/anonymous. >>>>>> >>>>>> Agreed. >>>>>> >>>>>>> And AFAIK that can only be achieved by disabling the anonymous user. >>>>>>> Or am I wrong? Is there another way to forbid login of the anonymous >>>>>>> user. >>>>>> >>>>>> Well, with this setting we can prevent requests without credentials to >>>>>> pass by the Sling Authenticator. But we cannot prevent someone coming >>>>>> with >>>>>> the anonymous credentials from logging in. This has to be configured in >>>>>> the >>>>>> repository IIUIC. >>>>> >>>>> Oh sorry. With "disabling the anonymous user" I do not mean the flag >>>>> on the authentication service but using the usermanager to disable the >>>>> user in the repository. That is what I do and what prevents the davex >>>>> servlet from working properly. >>>>> >>>>> That's because the request for the repository descriptors has no >>>>> credentials included. So the anonymous user is used to fetch the >>>>> descriptors. If this user is disabled, >>>>> it is no longer possible to return a meaningful result. However having >>>>> the anonymous user enabled also allows everybody to login as >>>>> anoymous/anoymous. >>>>> >>>>> The original jackrabbit davex servlet has the >>>>> init.missing-auth-mapping parameter to specify another user that can >>>>> be used in case no credentials are provided. However that does not >>>>> work with the sling authentication in place >>>>> (https://issues.apache.org/jira/browse/SLING-2256) >>>>> >>>>> Regards, >>>>> Markus >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> Regards >>>>>> Felix >>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> Markus >>>>>> >>>>>> >>>>> >>>> >> >
