Hi, Am 27.03.2012 um 11:56 schrieb David G.:
> Hi Felix - thanks for the info. have a few more Qs inline. > > On Tue, Mar 27, 2012 at 11:18 AM, Felix Meschberger <[email protected]>wrote: > >> >>> My understanding was a Auth Handler merely authenticates credentials, and >>> generally doesnt actively issue tokens. >>> >>> An example flow might be: >>> >>> 1) User POSTs username/password to servlet. >> >> There is no servlet involved in the authentication process (other than for >> providing the HTML form for the user to enter user name and password) > > > The Login Form has to POST to *something* .. what does it point at? If you do form based authentication, you will also have an authentication handler. The form and the handler will agree on the URL. Generally its just an URL with /j_security_check appended (as stipulated by the Servlet Spec). See for example the Sling Form Authentication Handler. > > >>> 2) Servlet authenticates credentials (via whatever means necessary, may >>> need to reach out to 3rd party system) >>> 3) Servlet adds a secure auth cookie to response object >>> 4) Servlet redirects to resource /page/b.html >>> 5) Authentication Handler matches on /page/b, extracts the secure auth >>> cookie, validates, and "logs" the user in for that request >> >> What's happening is: >> >> 1. client sends request with username and password > > 2. SlingAuthenticator calls AuthenticationHandler >> > > So there you could have 2 auth handlers: 1 whose extractCreds looks for > POST params username/password and 2nd who looks for the existance of a > Cookie. Or optionally combine them into a single AuthHandler. This can be the same. > > 3. AuthenticationHandler returns AuthenticationInfo with username and >> password > > 4. SlingAuthenticator calls RepositoryFactory with AuthenticationInfo to >> get resource resolver and validate the credentials >> > > If you want to do something "special" during validation (such as reach out > to a 3rd party system and check some state or send to a registration page > if the username doesnt exist in the user list) -- where would this come > into play? Unless this is being done as part of the Jackrabbit LoginModule, I would probably do this as part of the extractCredentials step. For example in the OpenID case, you redirect the user to the OpenID provider and only if the identity is validated you will check whether a corresponding user exists in the repository and create it if not. > > >> 5. SlingAuthenticator calls >> AuthenticationFeedbackHandler.authenticationSucceeded which may set cookies >> 6. request continues to be processed (or is redirected) >> > > Where/when/why would Authenticator.login(request, response) get called. > This seems to be be a mechanism to be called from a servlet (or someplace > other than the sling auth "ecosystem") This is a helper service for servlets deciding to require authentication. So they call login to start the authentication process. Regards Felix
