Hi, and sorry for talking to myself here, but maybe this helps others, too ;)
On [1] I found the information about the form based JAAS authentication in Sling. The interesting sentence is: "The j_username and j_password parameters are used to create a JCR SimpleCredentials [2] object to log into the JCR Repository." I assume Sling uses [3] to login on the JCR repository, which returns a session object that is then managed by Sling. So, when accessing some resource, Sling will try to retrieve the resource based on the user credentials from the JCR. That means, to manage access control one has to control it at JCR level. [1] http://sling.apache.org/site/form-based-authenticationhandler.html [2] http://www.day.com/maven/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html [3] http://www.day.com/maven/javax.jcr/javadocs/jcr-2.0/javax/jcr/Repository.html#login(javax.jcr.Credentials, java.lang.String) 2013/3/21 Fabian Christ <[email protected]>: > Hi, > > I see that most of the AuthenticationHandler [1] is deprecated. I > think this is the interface to implement when I want to plugin my own > authentication logic. What is its replacement? > > [1] > http://sling.apache.org/apidocs/sling6/org/apache/sling/engine/auth/AuthenticationHandler.html > > 2013/3/21 Fabian Christ <[email protected]>: >> Hi, >> >> I think I have found what I was looking for as an introduction in >> Jackrabbit [1]. >> >> [1] http://wiki.apache.org/jackrabbit/AccessControl >> >> So from a Sling perspective, I have to login to the JCR using, e.g. >> org.apache.sling.jcr.api.SlingRepository.login() somewhere in my code >> with the right user credentials. But Sling also provides JAAS >> functionality at the /j_security_check endpoint, right? >> >> >> 2013/3/21 Fabian Christ <[email protected]>: >>> Hi, >>> >>> I was playing with the slingbucks example [1]. I noticed that it >>> required authentication in order to accept POST request to create new >>> orders. After logging in via admin:admin at the Sling main page, the >>> slingbucks order process worked. >>> >>> My assumption is that the underlying JCR requires authentication >>> before it allows any write operations, right? >>> >>> I started to look for documentation on authentication and user >>> management. I see that there is a user management RESTful API [1] but >>> can not find more details about it. >>> >>> The documentation in [2] is on a low technical level but I am missing >>> some overview how users should be managed for a webapp. Any hints are >>> welcome. >>> >>> [1] >>> https://cwiki.apache.org/confluence/display/SLING/FAQ#FAQ-HowdoIchangeJackrabbit%27sadminpassword%3F >>> [2] http://sling.apache.org/site/authentication.html >>> >>> -- >>> Fabian >>> http://twitter.com/fctwitt >> >> >> >> -- >> Fabian >> http://twitter.com/fctwitt > > > > -- > Fabian > http://twitter.com/fctwitt -- Fabian http://twitter.com/fctwitt
