On 2 Feb 2010, at 19:16, Felix Meschberger (JIRA) wrote: > > [ > https://issues.apache.org/jira/browse/SLING-1116?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12828725#action_12828725 > ] > > Felix Meschberger commented on SLING-1116: > ------------------------------------------ > > Cool. Looking forward for something to commit ;-) > > Re 2: If we set an expiration time on the cookie, it is not a session cookie > any more. Maybe the expiration time in the hash is enough ? > > Re 3: would it make sense to store the tokens in the repository ? This would > "fix" the cluster issue - would it create others ?
Some comments, but I don't want to stop Eric commenting since he's done most of the work here. (which made me fix my own bugs :)) 1. Location in the repo needs to be super safe, eg not accessible over http, and probably not the main repo ? I would hate to see someone downloading the keys. 2. Token storage would need to be split, so each server had its own write area and all servers could read all others keys, to avoid contention. > > Re 5: would that be a single custom attribute ? with a customizable name ? IMHO, the value of the attribute needs to be a class that is protected to avoid being hijacked. eg static final inner class, package protected, private to the bundle with a private constructor. The login module binding to that internal class. I dont really know if thats secure enough. All yours Eric, Ian > > Re 6: perfect. > > Again, thanks > >> FORM Based Authentication >> ------------------------- >> >> Key: SLING-1116 >> URL: https://issues.apache.org/jira/browse/SLING-1116 >> Project: Sling >> Issue Type: New Feature >> Components: Extensions >> Reporter: Eric Norman >> Assignee: Felix Meschberger >> Attachments: org.apache.sling.cookieauth.zip, >> org.apache.sling.sessionauth.zip, SLING_1116_jackrabbit_server_patch.txt, >> updated_org.apache.sling.cookieauth.zip >> >> >> This is a new bundle that provides an implementation of forms based >> authentication for sling. >> The login/logout servlets from the org.apache.sling.commons.auth are used. >> The AuthenticationHandler will use http basic auth credentials if they are >> on the request, otherwise it will use the user/pwd posted from the login >> form. >> The login form html is generated by a set of scripts >> 1. login.html.esp - full login page (includes login_body.html.esp for >> the form markup) >> 2. login_body.html.esp - just the login form, which may be useful for >> drawing the login form for an ajax context >> 3. loginError.html.esp - full login-error page >> 4. loginError_body.html.esp - just the login-error form, for login error in >> ajax context >> The above scripts are included as bundle-resources @ >> /libs/sling/servlet/default >> The bundle also has a couple of test scripts to show some examples of usage: >> 1. loginTest.html.esp - shows who is logged in and links to login or logout >> 2. loginTest2.html.esp - shows how a script can check permissions and show a >> login page if the anonymous user doesn't have permission to see the page, >> Some examples of usage are: >> 1. http://host:port/path/to/node.login.html - show the login page and then >> goto http://host:port/path/to/node after authenticated >> 2. http://host:port/path/to/node.login.html?s=.edit.html - show the login >> page and then goto http://host:port/path/to/node.edit.html after >> authenticated >> 3. http://host:port/system/sling/logout - invalidate the session and switch >> back to anonymous user > > -- > This message is automatically generated by JIRA. > - > You can reply to this email to add a comment to the issue online. >
