Hi Douglas,
Douglas José schrieb:
> Hello,
>
> I would like to restrict the access to part of my Sling application. Using
> the example of a blogging application, I want the posts to be public, but
> the post creation page to be password protected.
> I read something about configuring the "access authentication" component,
> enabling/disabling the option "allow anonymous access", but it seems to me
> an all-or-nothing option. Is that correct?
Yes, the "Allow Anonymous Access" switch is an all-or-nothing switch
with respect to requesting authentication. If you switch this on, no
requests will require authentication by default. And now, it gets tricky
and interesting ;-)
Any non-authenticated request is handled in the background by an
anonymous JCR Session. If the session cannot access the requested
resource, it is not visible, hence the request will fail with a 404/NOT
FOUND.
Based on this background you may:
* Protected the post creation page from being accessible by
the anonymous user
* Implement a 404 error handler, which will cause the user to
provide credentials in case of anonymous requests
Alternatively you may implement the post craetion script such, that it
checks, whether the request is actually authenticated or not and -- for
example -- redirect the request to a login page in case the request is
not authenticated.
Hope this helps.
Regards
Felix
