Hi, On 02.06.2010 06:12, Jos Snellings wrote: > Dear, > > I am confronted with the following use cases: > 1. sling app needs to authenticate with a nearby (same server) webapp. > No anonymous access allowed. > => I created 'proxyauthenticator' for this: > * anonymous requests are forwarded to the trused webapps > login > * trusted webapp places short (30 sec) session entry in a > shared DB table upon > successful login > * trusted webapp causes authenticated web client to > request menu options from > sling app with this short session ID > * proxyauthenticator picks this ID up, authenticates the > user, and clears the entry from the table
Looks like you try to reinvent OpenID. How about implementing an OpenID provider on the "trusted webapp" server ? > > 2. sling app needs to authenticate with organisation's LDAP server > > I have following questions: > - for proxyAuthenticationHandler, is it alright if extractCredentials > calls requestCredentials directly if no > valid credentials exist in the session? Yes, in this case extractCredentials should return AuthenticationInfo.DOING_AUTH to indicate credentials have already been requested. Yet, I would probably not do so but rather have the SlingAuthenticator first try to find another authentication handler and only if none provide credentials have the SlingAuthenticator select an authentication handler and call its requestCredentials method. > - proxyauthenticator is being written as a proof of concept, is there > interest in adopting it in the sling trunk after peer review? If its just duplicating OpenID functionality, we would have to see. If it is a real LDAP-based authentication handler, most probably yes; but see below for more flesh to the LDAP-bone. > - these two 'trusted party' authentication mechanisms, are about the > mechanism only. SlingAuthenticator's > handleSecurity will inevitably try to get a JCR session for the > provided credentials... and this brings a complication: > the account must exist locally in the JCR repository. > Is there a way to obtain an even tighter integration? Would that imply > a sort of synchronisation between the accounts on > trusted app and sling app? Yes, definitely so and there are multiple options. One option (which we at Day chose for integration of LDAP servers with Day's CRX product) is to actually implement a Jackrabbit LoginModule which is able to synchronize the user base with the LDAP server on-demand. This LoginModule will (1) authenticate the Credentials with the LDAP server (generally doing an LDAP bind) and (2) will automatically create a local JCR Repository used based on data requested from the LDAP server. In fact, doing an LDAP LoginModule, would allow Sling to not require contacting the authenication server at all. Instead you could use the normal form based login handler which provides user name and password in the JCR Credentials to the repository where the repository will then use these credentials to check with the LDAP server. The other option would be to have the Sling authentication handler validate the credentials with the LDAP server (e.g. using LDAP bind) and use Jackrabbit user management functionality to create the users on demand if need be. This login handler would then have to use the "trusted credentials" mechanism also used by the OpenID login module to authenticate with the repository. For the LDAP case, I would actually prefer the first option of writing a LoginModule able to synchronize with the LDAP server on-demand. Hope this helps. Regards Felix
