[
https://issues.apache.org/jira/browse/JCR-3222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13194507#comment-13194507
]
Felix Meschberger commented on JCR-3222:
----------------------------------------
> The Sling authentication code needs to be able to take over the entire
> processing of a request instead of just servicing a getSession() call.
This is wrong.
The DavexServletService is registered as a servlet service and gets processing
the request from the service call. A service in OSGi registered along with an
Osgi HttpContext object which has a handleSecurity method, which handles
authentication before the servlet is even called. By having a contextId service
property a whiteboard servlet service can refer to a whiteboard HttpContext
service which implements that method accordingly.
Thus my patch allows to plug a HttpContext service which we in Sling can
provide to call the Sling authentication processing. This then makes the
ResourceResolver and hence the Session available to the servlet.
Inside the servlet, the patch implements the getSessionProvider method to
return a proxy SessionProvider which either provides a registered
SessionProvider service or returns the default from the parent class. Sling
will den provide a SessionProvider service which knows about the Sling
authentication and can extract the session from the ResourceResolver.
Existing uses of the JcrRemotingServlet need not be changed as does the
JcrRemotingServlet. Everything is done in the DavexServletService with proper
OSGi oriented actions -- except for the ResourceResolver defined as a request
attribute, which we already have.
> Allow servlet filters to specify custom session providers
> ---------------------------------------------------------
>
> Key: JCR-3222
> URL: https://issues.apache.org/jira/browse/JCR-3222
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-jcr-server
> Reporter: Jukka Zitting
> Priority: Minor
> Attachments: JCR-3222-fmeschbe.patch,
> jackrabbit-jcr-server-2.6-SNAPSHOT.jar
>
>
> In order to integrate the Jackrabbit davex server functionality with their
> custom authentication logic, the Sling project currently needs to embed and
> subclass the davex servlet classes. It would be cleaner if such tight
> coupling wasn't needed.
> One way to achieve something like that would be to allow external components
> to provide a custom SessionProvider instance as an extra request attribute.
> This way for example a servlet filter that implements such custom
> authentication logic could easily make its functionality available to the
> standard davex servlet in Jackrabbit.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
