Felix Meschberger wrote
>
> My biggest concern with this was (and still is) loss of performance if
> logging two login's would be required for each request. We can "fix"
> this issue, if we defined an API to act as an intermediary, e.g.
> something like:
>
> public interface CredentialValidator {
> public AuthenticationInfo validate(
> AuthenticationInfo credentials)
> throws LoginException;
> }
>
> This service interface would be implemented by a JCR based
> implementation using Repository.login to valid and would be used by the
> SlingAuthenitator to validate the credentials.
>
> The AuthenticationInfo returned might contain the session acquired
> during validation and be set as a request attribute. That request
> attribute would be picked up by the SlingMainServlet to hand over to the
> ResourceResolverFactory.getResourceResolver(Map) method.
>
> One issue remains: disposal of the Session placed into the
> AuthenticationInfo object by the validate method. But this can be
> solved, I am sure ...
>
> More details (aka words) at [1]
>
Yes, this looks fine to me - this has another advantage - it is possible to
create a resource resolver through the factory with passing in a
session. So the old use case, having a session and then creating a
resource resolver on top of it, would be covered with the new api as
well. (I think one rarely needs this with the great Sling API, but
nevertheless it would be possible).
Carsten
--
Carsten Ziegeler
cziege...@apache.org
