Hi, On 02.02.2010 22:44, Ian Boston wrote: > > On 2 Feb 2010, at 19:16, Felix Meschberger (JIRA) wrote: > >> >> [ >> https://issues.apache.org/jira/browse/SLING-1116?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12828725#action_12828725 >> ] >> >> Felix Meschberger commented on SLING-1116: >> ------------------------------------------ >> >> Cool. Looking forward for something to commit ;-) >> >> Re 2: If we set an expiration time on the cookie, it is not a session cookie >> any more. Maybe the expiration time in the hash is enough ? >> >> Re 3: would it make sense to store the tokens in the repository ? This would >> "fix" the cluster issue - would it create others ? > > Some comments, but I don't want to stop Eric commenting since he's done most > of the work here. (which made me fix my own bugs :)) > > 1. Location in the repo needs to be super safe, eg not accessible over http, > and probably not the main repo ? I would hate to see someone downloading the > keys.
Absolutely agreed. Maybe -- for simplicity -- we might start with just an in-memory table (as probably intended in the first place) and tackle the cluster stuff in a second step. > 2. Token storage would need to be split, so each server had its own write > area and all servers could read all others keys, to avoid contention. Sounds like a good solution, yes. > > >> >> Re 5: would that be a single custom attribute ? with a customizable name ? > > IMHO, the value of the attribute needs to be a class that is protected to > avoid being hijacked. eg static final inner class, package protected, private > to the bundle with a private constructor. The login module binding to that > internal class. I dont really know if thats secure enough. So the login module could validate the class object by just comparing it using "==". To me this sounds like a good compromise between security and simplicity. Regards Felix > > All yours Eric, > Ian > >> >> Re 6: perfect. >> >> Again, thanks >> >>> FORM Based Authentication >>> ------------------------- >>> >>> Key: SLING-1116 >>> URL: https://issues.apache.org/jira/browse/SLING-1116 >>> Project: Sling >>> Issue Type: New Feature >>> Components: Extensions >>> Reporter: Eric Norman >>> Assignee: Felix Meschberger >>> Attachments: org.apache.sling.cookieauth.zip, >>> org.apache.sling.sessionauth.zip, SLING_1116_jackrabbit_server_patch.txt, >>> updated_org.apache.sling.cookieauth.zip >>> >>> >>> This is a new bundle that provides an implementation of forms based >>> authentication for sling. >>> The login/logout servlets from the org.apache.sling.commons.auth are used. >>> The AuthenticationHandler will use http basic auth credentials if they are >>> on the request, otherwise it will use the user/pwd posted from the login >>> form. >>> The login form html is generated by a set of scripts >>> 1. login.html.esp - full login page (includes login_body.html.esp for >>> the form markup) >>> 2. login_body.html.esp - just the login form, which may be useful for >>> drawing the login form for an ajax context >>> 3. loginError.html.esp - full login-error page >>> 4. loginError_body.html.esp - just the login-error form, for login error >>> in ajax context >>> The above scripts are included as bundle-resources @ >>> /libs/sling/servlet/default >>> The bundle also has a couple of test scripts to show some examples of usage: >>> 1. loginTest.html.esp - shows who is logged in and links to login or logout >>> 2. loginTest2.html.esp - shows how a script can check permissions and show >>> a login page if the anonymous user doesn't have permission to see the page, >>> Some examples of usage are: >>> 1. http://host:port/path/to/node.login.html - show the login page and >>> then goto http://host:port/path/to/node after authenticated >>> 2. http://host:port/path/to/node.login.html?s=.edit.html - show the login >>> page and then goto http://host:port/path/to/node.edit.html after >>> authenticated >>> 3. http://host:port/system/sling/logout - invalidate the session and >>> switch back to anonymous user >> >> -- >> This message is automatically generated by JIRA. >> - >> You can reply to this email to add a comment to the issue online. >> > >
