Hi, We were using slide 2.1 Beta 1 and were doing pretty good with ACL. Our design for custom authentication was like this:
1. Disable web-server authentication (remove security constraint elements in web.xml). 2. Enable slide security (in slide.properties) 2. Write a filter for webdav servlet. This filter captures every http request and does custom authentication. After authentication, it sets a principal object in session based on the logged-user (code for this is given below) This worked pretty well for Slide 2.1 B1, except that the slide trace messages spitted out "unauthneticated" as the principal user. We were OK with that because the ACL worked on the logged-user (user set in session as a principal object). When we upgraded to Slide 2.1 B2, slide server ACL was running on "unauthenticated" instead of the principal user set in the session. Now since ACL thinks that the logged user is "unauthenticated", nothing works .... I do not understand what changed between b1 and b2. Is this a bug introduced, or am I supposed to do something extra for b2? Any help appreciated ..... Code for the servlet filter that custom authenticates ..... public void doFilter(ServletRequest req, ServletResponse res, FilterChain fChain) throws IOException, ServletException { // Cast to the Http specific class for the request and the response HttpServletRequest httpReq = (HttpServletRequest)req; HttpServletResponse httpRes = (HttpServletResponse)res; // Return exception if the filter config object is null if(fConfig == null) { String sError = "SlideAuthenticationFilter.doFilter()::FilterConfig is null"; httpRes.sendError(WebdavStatus.SC_INTERNAL_SERVER_ERROR, sError); return; } // Check for the authorization header. It will be used to create the principal object // for slide authorizations. All webdav client calls from salespoint should have the // "Authorization" header in the format "BASIC username:slideunlockkey". The string // "username:slideunlockkey" should be encoded in base64 format. The Slide un-lock key // is a constant defined in this class (TODO save it in an external editable resource). String sAuthorizationHeader = httpReq.getHeader("Authorization"); if(!authenticateRequest(sAuthorizationHeader)) { String sError = "SlideAuthenticationFilter.doFilter()::Authentication failed, invalid slide repository unlock key"; httpRes.sendError(WebdavStatus.SC_FORBIDDEN, sError); return; } // User is authenticated, let him through slide // Fetch the http session object for this user, if none create one HttpSession httpSession = httpReq.getSession(true); // SlidePrincipal is a simple implementation of Principal interface // Look if there is a principal object bound to the session for the logged-in user SlidePrincipal principal = (SlidePrincipal)httpSession.getAttribute("org.apache.slide.webdav.method.pri ncipal"); if((principal != null)&&(principal.getName().equals(this.sLoggedUser))) { // If valid principal exists in session // Do nothing } else { // If principal object is not bound to session yet create one // If one is found but principal name does not match, set it if(principal == null) { // Create a new pricipal object principal = new SlidePrincipal(sLoggedUser); // Bind it to session httpSession.setAttribute("org.apache.slide.webdav.method.principal", principal); } else // Update the existing principal with the right name principal.setName(sLoggedUser); } fChain.doFilter(req, res); } thanks, Krishna