[jira] Commented: (SLING-608) Provide Authentication Control

[Felix Meschberger (JIRA)]

    [ 
https://issues.apache.org/jira/browse/SLING-608?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12622108#action_12622108
 ] 

Felix Meschberger commented on SLING-608:
-----------------------------------------

@Marvin:

You are right. We don't have much with respect to version support yet in our 
samples (and test cases). Michael's notes application is currently pending 
inclusing in Sling as a sample.

Regarding authentication: AFAIK Jackrabbit comes with no built-in user 
management out of the box (though there is an LDAP authentication handler and 
also support for JAAS IIRC). So we took the simple way in Sling to just include 
Jackrabbit out of the box with a default configuration. There should probably 
be better documenting on how to change this behaviour to use real user 
management.

Sling itself has an authentication strategy in that it has an authenticator 
which calls into AuthenticationHandlers to extract the user details from the 
request (support for HTTP BASIC authentication comes with Sling) and which then 
logs into the repository. All in all, the authentication strategy is to use the 
repository for authentication - provided the repository does something real 
here.

@Rory

Using the web server platform for user authentication would probably be the 
cause for a Sling AuthenticationHandler implementation. In this case the 
repository would have to be set up for JAAS authentication to be able to pick 
up the Credentials prepared by Sling's JAAS AuthenticationHandler.

> Provide Authentication Control
> ------------------------------
>
>                 Key: SLING-608
>                 URL: https://issues.apache.org/jira/browse/SLING-608
>             Project: Sling
>          Issue Type: Improvement
>          Components: Documentation, JCR, Launchpad
>    Affects Versions: Launchpad Webapp 3
>            Reporter: Marvin Phelps
>
> Sling sits atop a content repository - so there should be better examples of 
> how to post versions and list versions. (mix:versionable). I managed to find 
> out how to do this using the Day notes application. Secondly, it's now 
> apparent to me that the LaunchPad webapp is using Jackrabbit's 
> SimpleLoginModule and by default it allows access for every user: even 
> http://doodoo:[EMAIL PROTECTED]:8888/ Sling needs to have some authentication 
> strategy built-in. With this stuff provided in Launchpad, Sling would be more 
> usable out of the box.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.