[ https://issues.apache.org/jira/browse/SLING-1593?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12889082#action_12889082 ]
Mike Müller commented on SLING-1593: ------------------------------------ Please have a look at the patch. There are several questions open to this issue: * DefaultAuthenticationFeedbackHandler.handleRedirect is called after CredentialValidator#validate, but impersonation is now done after validation before getting the resource resolver. Before this was done after getting the resource resolver because validation and getting the resource resolver was one step. I'm not sure if this could lead to any compatibility issues? * Is the old mechanism to close the JCR sessions still needed? JcrSessionCollector implements the SlingRequestListener interface and collects all JCR sessions after getting EVENT_DESTROY. * Should we call CredentialValidator#validate even if we use an anonymous user? > Decouple authentication mechanism from JCR > ------------------------------------------ > > Key: SLING-1593 > URL: https://issues.apache.org/jira/browse/SLING-1593 > Project: Sling > Issue Type: Improvement > Components: API, Commons, JCR > Reporter: Mike Müller > Assignee: Mike Müller > Attachments: sling-1593.patch > > > Felix made a good proposal how to decouple the authentication mechanism from > JCR at [1] after the discussion at [2]. The remaining issue there was how to > ensure JCR sessions which are placed into AuthenticationInfo be closed. To > solve that issue we now can use the new SlingRequestListener [3]. > [1] https://cwiki.apache.org/SLING/user-authentication.html > [2] http://markmail.org/message/aovh7lll4w6uwepv > [3] https://issues.apache.org/jira/browse/SLING-1576 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.