Hi Juanjo, Juanjo Vázquez schrieb: > Hi Felix, > > On Fri, Nov 14, 2008 at 7:14 AM, Felix Meschberger <[EMAIL PROTECTED]>wrote: > >> Hi Juanjo, >> >> Juanjo Vázquez schrieb: >>>> The proposal also allows for much more >>>> flexibility in building the Resource tree made of ResourceProviders >>>> where each ResourceProvider itself may actually be provided by a >>>> ResourceProviderFactory. >>> >>> Felix, this implementation would allow to have an only one security >>> management for the whole virtual resources tree, really?. I understand >> this >>> is not possible until now. >> Ehrm, no, this is not intended. The goal is to allow ResourceProviders >> to protect their resources by authenticating the access. >> >> Today, we authenticate against a single JCR ResourceProvider while all >> other resource providers (servlets, bundles, filesystem) do not >> authenticate at all. >> >> With the new ResourceProviderFactory and ResourceResolverFactory, >> authenticating ResourceProviders may be implemented. >> >> Enforcement of access control will remain an implementation detail of >> the actual ResourceProvider. >> > > Ok, I see. Furthermore, IMHO an eventual single sign-on stuff should remain > out of the Sling scope. Anyway, +1 for your ResourceResolverFactory > proposal.
Yes, exactly. The thing is: The Authenticator using AuthenticationHandler services to extract the credentials from the request and uses these exact credentials to get the ResourceResolver from the ResourceResolverFactory. So the the single sign-on stuff will be outside of Sling itself encapsulated in (a) an AuthenticationHandler and (b) credential processing in the ResourceProviderFactory (e.g. a LoginModule for Jackrabbit). Regards Felix