Hi, one of the options in a Sling Authentication handler is to create the session itself and pass it via "user.jcr.session" [1] in the AuthenticationInfo. But this session is never closed automatically by Sling, forcing you to also write yet-another ServletFilter that closes the session at the end of the request, which is ugly.
So I am proposing a new option "user.jcr.session.close" that one can set which would close the session. The change would be simple: in [2] set logoutSession = true if this flag is present. IMO closing by default would make more sense, not sure if we can do that... WDYT? Background: Passing an existing session is the most generic way to login for an auth handler, but due to the non-auto-closing, it's impractical. Also, this is my current requirement, you can use Jackrabbit's TokenCredentials and verify attributes - these are added back to the credentials objects _after_ the login, which happens _after_ the authentication handler and all authentication post processors, so no chance for me to do some validation on them inside the auth handler. Unless I want to create an extra throw-away session just for the check - which is a waste to do for every single request. [1] https://github.com/apache/sling/blob/trunk/bundles/jcr/resource/src/main/java/org/apache/sling/jcr/resource/JcrResourceConstants.java#L107 [2] https://github.com/apache/sling/blob/5b48c807c29241324a11b0056d0d10f4609780a1/bundles/jcr/resource/src/main/java/org/apache/sling/jcr/resource/internal/helper/jcr/JcrResourceProviderFactory.java#L337 Cheers, Alex
