If the httpauth bundle *is* still needed, then it might need revision,
as it appears to interpret the "sling:authRequestLogin" request
parameter in a way that conflicts with other authentication handlers.
The request parameter "sling:authRequestLogin" is currently documented
as a way to select which AuthenticationHandler receives a
requestCredentials call. The OpenID authentication handler uses it in
this fashion.
However, httpauth's AuthorizationHeaderAuthenticationHandler uses it in
another way. If "sling:authRequestLogin" is any non-null value, then its
extractCredentials method requests basic authentication and returns
"AuthenticationInfo.DOING_AUTH". Since extractCredentials calls occur
first, this effectively blocks the requestCredentials logic.
For example, using a current build of Sling trunk, with my only change
being to open "/system/sling/openid/login" to anonymous access, I find
that immediately after I submit the OpenID login form, I receive a basic
authentication prompt from the browser. Only after I stop the
org.apache.sling.httpauth bundle can OpenID authentication proceed as
documented.
What's the recommendation here?
Thanks,
Ray
On 7/2/10 9:45 AM, Ian Boston wrote:
Hi
I notice that the extension http auth bundle is still in list.xml, however the
Authentication hander does http basic by default if all else fails ?
are both still needed ?
Ian
