Hi,
Magnus Johansson schrieb:
> Hi
> I'm very new to sling so please forgive me if this is a stupid question.
Welcome ! And the question is not stupid at all..
>
> I'm trying to implement form based authentication as an alternative to http
> basic Authentication.
> As far as I understand SlingAuthenticator will redirect to
> /system/sling/login if the user is not
> yet logged in and anonymous access is not enabled. The LoginServlet will
> then call login on the
> AuthenticationHandler (via SlingAuthenticator). This causes some problems
> for me where I
> want a successful authenticaton to redirect the user back to the original
> page he tried to access.
Actually, what happens is this:
* Request comes in
* SlingAuthenticator selects an AuthenticationHandler
* AuthenticationHandler.authenticate is called
* The result is used to login
* On success a session is acquired and all is well
* On failure, the requestAuthentication method of the
same AuthenticationHandler is called.
Now, it is the task of the requestAuthentication method to do what is
right for its needs for authentication. It may (as we do in our
closed-source application) redirect to a login page to render the form
and handle the login process. Now this redirect should bear the
originally requested page path - we do this with a request parameter on
the redirect URL as in:
path/to/login.html?requested=/path/to/requested/page.html
Now the login form can use the user entry to craft the request to login
the user. There are multiple options for this:
* use AJAX from the form and reload the client document with the
request URL on success
* place another request to the originally requested URL adding any
required parameters to succeed the login
>
> When the login method on my AuthenticationHandler is called there is no way
> to get the original uri,
> as the user has just been redirected to /system/sling/login
>
> My question is thus, why does SlingAuthenticator redirect to the
> LoginServlet instead of
> just calling login on the appropriate AuthenticationHandler (this is what
> LoginServlet does anyway).
> If this was the case I could easily temporarily store the original uri in a
> cookie, session or similar to
> be able to redirect the user back after a successful authentication.
>
> Another question related to implementing alternate authentication methods.
> Is it possible to register
> servlets (under /system/sling for instance) that does not require the user
> to be authenticated even
> if anonymous access on SlingAuthenticator is disabled.
No, if anonymous access is disabled, all requests must be authenticated
in one way or the other. For more fine-grained control on authentication
I suggest you employ access control on the repository.
Hope this helps.
Regards
Felix
>
>
> Regards
> Magnus Johansson
>
