[jira] [Commented] (SLING-9622) Avoid registration of auth requirements for aliases and vanity paths

Tue, 04 Aug 2020 05:09:06 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-9622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17170761#comment-17170761
 ] 

Carsten Ziegeler commented on SLING-9622:
-----------------------------------------

A different approach would be to let the auth core bundle do the mapping which 
is currently required to be performed by the registrar: when a new auth 
requirement is registered, the auth core bundle will get all mappings for the 
registered path and internally register the auth requirement with all of them.
When the mapping changes, the auth core bundle needs to update the registration.
This would avoid the performance penality on every request, but comes with some 
processing overhead.

> Avoid registration of auth requirements for aliases and vanity paths
> --------------------------------------------------------------------
>
>                 Key: SLING-9622
>                 URL: https://issues.apache.org/jira/browse/SLING-9622
>             Project: Sling
>          Issue Type: Improvement
>          Components: Authentication
>            Reporter: Carsten Ziegeler
>            Assignee: Carsten Ziegeler
>            Priority: Major
>
> Right now when auth requirements are registered, they need to be registered 
> for the resource path, as well as all vanity paths and potentially all 
> combinations of aliases for that path. First of all, this creates potentially 
> a lot of auth requirements for a single path, but as well requires that the 
> registrar of the auth requirement to be aware of vanity paths and aliases and 
> do the right thing and update the auth requirements whenever there are 
> changes.
> We should avoid these additional registrations and processing.
> The SlingAuthenticator is currently checking the request path against the 
> auth requirements. We could change this with checking the resolved path. So 
> the authenticator could use a service user resolver and resolve the path and 
> then check the auth requirements.
> This avoids all the extra work for the registrar of the auth requirements, 
> but comes with the additional cost of a resolve call per request



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to