Authentication
This section describes the framework provided by Sling to authenticate HTTP requests.
Let's look at generic request processing of Sling: Sling is linked into the outside world by registering the Sling Main Servlet – implemented by the SlingMainServlet
class in the Sling Engine bundle – with an OSGi HttpService
. This registration is accompanyied with an implementation instance of the OSGi HttpContext
interface, which defines a method to authenticate requests: handleSecurity
.
This method is called by the OSGi HTTP Service implementation after the servlet has been selected to handle the request but before actually calling the servlet's service
method.
- First the OSGi HTTP Service implementation is analyzing the request URL to find a match for a servlet or resource registered with the HTTP Service.
- Now the HTTP Service implementation has to call the
handleSecurity
method of theHttpContext
object with which the servlet or resource has been registered. This method returnstrue
if the request should be serviced. If this method returnsfalse
the HTTP Service implementation terminates the request sending back any response which has been prepared by thehandleSecurity
method. Note, that thehandleSecurity
method must prepare the failure response sent to the client, the HTTP Service adds nothing here. If thehandleSecurity
method is successful, it must add two (or three) request attributes described below. - When the
handleSecurity
method returnstrue
the HTTP Service either calls theServlet.service
method or sends back the requested resource depending on whether a servlet or a resource has been selected in the first step.
The important thing to note here is, that at the time the handleSecurity
method is called, the SlingMainServlet
is not yet in control of the request. So any functionality added by the SlingMainServlet
, notably the SlingHttpServletRequest
and SlingHttpServletResponse
objects are not available to the implementation of the handleSecurity
method.
The following pages describe the full details of request authentication in Sling in full detail:
- Tasks: Authentication of HTTP Requests is generally a two-step process: First the credentials must be extracted from the request and second the credentials must be validated. In the case of Sling this means acquiring a JCR Session.
- Actors: The authentication process involves a number of actors contributing to the concepts, the API and the particular implementations.
- Framework: The core piece of functionality with respect to authentication in Sling is contained in the Sling Auth Core bundle. This bundle provides the API for Sling and Sling applications to make use of authentication.
- AuthenticationHandler: The
AuthenticationHandler
interface defines the service API which may be implemented by authentication handlers registered as OSGi services.