...
Excerpt | ||
---|---|---|
| ||
How to generalize initiation of the authentication process. (IMPLEMENTED) |
Status: DRAFTIMPLEMENTED
Created: 21. April 2009
Author: fmeschbe
JIRA: SLING-938, SLING-939
References: Sling Dev: Refining the authentication process, Authentication
Updated: -24. April 2009, fmeschbe, Rename Authenticator.requestAuthentication
method to login
and add NoAuthenticationHandler
exception
Table of Contents | ||
---|---|---|
|
...
Code Block | ||
---|---|---|
| ||
/** * The <code>Authenticator</code> interface defines the service interface of the * authenticator used by the Sling engine. This service provides a method to * find an {@link AuthenticationHandler} and call its * {@link AuthenticationHandler#requestAuthentication(HttpServletRequest, HttpServletResponse)} * method. * <p> * This interface is not intended to be implemented by applications but may be * used to initiate the authentication process form a request processing servlet * or script. * * @since 2.0.4 */ public interface Authenticator { /** * Finds an {@link AuthenticationHandler} for the given request and call its * {@link AuthenticationHandler#requestAuthentication(HttpServletRequest, HttpServletResponse)} * method to initiate an authentication process with the client. * <p> * This method must be called on an uncommitted response since the * implementation may want to reset the response to start the authentication * process with a clean response. If the response is already committed an * <code>IllegalStateException</code> is thrown. * <p> * After this method has finished, request processing should be terminated * and the response be considered committed and finished. * * @param request The object representing the client request. * @param response The object representing the response to the client. * @throws NoAuthenticationHandlerException If no authentication handler * claims responsibility to authenticate the request. * @throws IllegalStateException If the response has already been committed. */ public void requestAuthenticationlogin(HttpServletRequest request, HttpServletResponse response); } |
This interface is implemented by the SlingAuthenticator
class which is also registered under this service interface. The SlingAuthenticator
implementation in fact already has an implementation of this method, which finds an AuthenticationHandler
for the request and calls its requestAuthentication
method.
The login
method has three possible exit states:
Exit State | Description |
---|---|
Normal | An |
| No |
| The response has already been committed and the login request cannot be processed. Normally to request login, the current response must be reset and a new response has to be prepared. This is only possible if the request has not yet been committed. |
Generalize sling:authRequestLogin
The request parameter sling:authRequestLogin
should be generalized and supported by the SlingAuthenticator
: If none of the registered authentication handlers is able to extract credentials this parameter should cause the authenticator to call Authenticator.requestAuthenticationlogin
method to initiate a login process.
...
- The
AuthorizationHeaderAuthenticationHandler
is modified to render the login form when therequestAuthentication
method is called. - The
LoginServlet
is modified to just call theAuthenticator.requestAuthenticationlogin
method instead of rendering the form itself. If noAuthenticator
service is available or if noAuthenticationHandler
is willing to perform authentication, theLoginServlet
sends back a 403/FORBIDDEN response.