Author: buildbot
Date: Mon Apr 29 01:14:58 2013
New Revision: 860247
Log:
Staging update by buildbot for sling
Modified:
websites/staging/sling/trunk/content/ (props changed)
websites/staging/sling/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
websites/staging/sling/trunk/content/site/.htaccess
Propchange: websites/staging/sling/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Apr 29 01:14:58 2013
@@ -1 +1 @@
-1476874
+1476875
Modified:
websites/staging/sling/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
==============================================================================
---
websites/staging/sling/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
(original)
+++
websites/staging/sling/trunk/content/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
Mon Apr 29 01:14:58 2013
@@ -99,7 +99,7 @@
<p>The Form Based AuthenticationHandler has two authentication phases: The
first phase is presenting a login form to the user and passing the entered user
name and password to the server. The second phase is storing successful
authentication in a Cookie or an HTTP Session.</p>
<p>The implementation of the Form Based Authentication Handler follows the
guidelines of the Servlet API 2.4 specification for <em>Form Based
Authentication</em> in section SRV.12.5.3. Specifically the following
requirements are implemented:</p>
<ul>
-<li>For the initial form submission, the request URL must end with
<code>/j*security*check</code> and the user name and password names must be
<code>j*username</code> and <code>j*password</code>, resp.</li>
+<li>For the initial form submission, the request URL must end with
<code>/j_security_check</code> and the user name and password names must be
<code>j_username</code> and <code>j_password</code>, resp.</li>
<li>The authentication type as returned by
<code>HttpServletRequest.getAuthType()</code> is set to
<code>HttpServletRequest.FORM_AUTH</code>.</li>
</ul>
<p>The Form Based Authentication Handler is maintained in the <a
href="http://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form";>Sling
SVN</a></p>
@@ -115,11 +115,11 @@
<li><code>authenticationSucceeded</code> -- Set (or update) the Cookie or HTTP
Session attribute</li>
</ul>
<h3 id="phase-1-form-submission">Phase 1: Form Submission</h3>
-<p>The login form submitted in phase 1 to validate the user name and password
must be provided in an HTTP <code>POST</code> request to an URL whose last
segment is <code>j*security*check</code>. The request is ignored as a form
submission if either the method is not <code>POST</code> or the last segment is
no <code>j*security*check</code>.</p>
+<p>The login form submitted in phase 1 to validate the user name and password
must be provided in an HTTP <code>POST</code> request to an URL whose last
segment is <code>j_security_check</code>. The request is ignored as a form
submission if either the method is not <code>POST</code> or the last segment is
no <code>j_security_check</code>.</p>
<p>The form is rendered by redirecting the client to the URL indicated by the
<code>form.login.form</code> configuration parameter. This redirection request
may accompanyied by the following parameters:</p>
<ul>
<li><code>resource</code> -- The resource to which the user should be
redirected after successful login. This request parameter should be submitted
back to the server as the <code>resource</code> parameter.</li>
-<li><code>j*reason</code> -- This parameter indicates the reason for rendering
the login form. If this parameter is set, it is set to
<code>INVALID*CREDENTIALS</code> indicating a previous form submission
presented invalid username and password or <code>TIMEOUT</code> indicating a
login session has timed out. The login form servlet/script can present the user
with an appropriate message.</li>
+<li><code>j_reason</code> -- This parameter indicates the reason for rendering
the login form. If this parameter is set, it is set to
<code>INVALID_CREDENTIALS</code> indicating a previous form submission
presented invalid username and password or <code>TIMEOUT</code> indicating a
login session has timed out. The login form servlet/script can present the user
with an appropriate message.</li>
</ul>
<p>The Form Based Authentication Handlers supports the following request
parameters submitted by the HTML form:</p>
<ul>
@@ -129,7 +129,7 @@
<li><code>resource</code> -- The location to go to on successful login</li>
<li><code>sling.auth.redirect</code> -- The location to redirect to on
successful login</li>
</ul>
-<p>The <code>j*username</code> and <code>j*password</code> parameters are used
to create a JCR <code>SimpleCredentials</code> object to log into the JCR
Repository.</p>
+<p>The <code>j_username</code> and <code>j_password</code> parameters are used
to create a JCR <code>SimpleCredentials</code> object to log into the JCR
Repository.</p>
<p>The <code>j_validate</code> parameter may be used to implement login form
submission using AJAX. If this parameter is set to <code>true</code>
(case-insensitive) the credentials are used to login and after success or
failure to return a status code:</p>
<table>
<thead>
@@ -169,7 +169,7 @@
</tbody>
</table>
<p>The <code>resource</code> and <code>sling.auth.redirect</code> parameters
provide similar functionality but with differing historical backgrounds. The
<code>resource</code> parameter is based on the <code>resource</code> request
attribute which is set by the login servlet to indicate the original target
resource the client desired when it was forced to authenticate. The
<code>sling.auth.redirect</code> parameter can be used by clients (applications
like cURL or plain HTML forms) to request being redirected after successful
login. If both parameters are set, the <code>sling.auth.redirect</code>
parameter takes precedence.</p>
-<p>The Form Based Authentication Handler contains a <a
href="http://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/AuthenticationFormServlet.java";>default
form servlet</a> and [HTML form template
from|http://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form/src/main/resources/org/apache/sling/auth/form/impl/login.html].</p>
+<p>The Form Based Authentication Handler contains a <a
href="http://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form/src/main/java/org/apache/sling/auth/form/impl/AuthenticationFormServlet.java";>default
form servlet</a> and <a
href="http://svn.apache.org/repos/asf/sling/trunk/bundles/auth/form/src/main/resources/org/apache/sling/auth/form/impl/login.html";>HTML
form template</a>.</p>
<h3 id="phase-2-authenticated-requests">Phase 2: Authenticated Requests</h3>
<p>After the successful authentication of the user in phase 1, the
authentication state is stored in a Cookie or an HTTP Session. The stored value
is a security token with the following contents:</p>
<div class="codehilite"><pre><span class="n">HmacSHA1</span><span
class="p">(</span><span class="n">securetoken</span><span class="p">,</span>
<span class="sr"><securetokennumber><expirytime></span><span
class="nv">@</span><span class="err"><</span><span
class="nv">userID</span><span class="o">></span><span
class="p">)</span><span class="nv">@</span><span class="err"><</span><span
class="nv">securetokennumber</span><span class="o">></span><span
class="sr"><expirytime></span><span class="nv">@</span><span
class="err"><</span><span class="nv">userID</span><span class="o">></span>
@@ -247,7 +247,7 @@
</ol>
<p>To prevent eavesdroppers from sniffing the credentials or stealing the
Cookie a secure transport layer should be used such as TLS/SSL, VPN or
IPSec.</p>
<div class="timestamp" style="margin-top: 30px; font-size: 80%;
text-align: right;">
- Rev. 1475804 by dklco on Thu, 25 Apr 2013 14:45:50 +0000
+ Rev. 1476875 by dklco on Mon, 29 Apr 2013 01:14:52 +0000
</div>
<div class="trademarkFooter">
Apache Sling, Sling, Apache, the Apache feather logo, and the Apache
Sling project
Modified: websites/staging/sling/trunk/content/site/.htaccess
==============================================================================
--- websites/staging/sling/trunk/content/site/.htaccess (original)
+++ websites/staging/sling/trunk/content/site/.htaccess Mon Apr 29 01:14:58 2013
@@ -21,3 +21,4 @@ Redirect Permanent /site/adapters.html /
Redirect Permanent /site/apache-sling-commons-thread-pool.html
/documentation/bundles/apache-sling-commons-thread-pool.html
Redirect Permanent /site/apache-sling-community-roles-and-processes.html
/project-information/apache-sling-community-roles-and-processes.html
Redirect Permanent /site/authentication-actors.html
/documentation/the-sling-engine/authentication/authentication-actors.html
+Redirect Permanent /site/form-based-authenticationhandler.html
/documentation/the-sling-engine/authentication/authentication-authenticationhandler/form-based-authenticationhandler.html
\ No newline at end of file
