Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
webconsole-3.1.2
-
None
Description
Since Web Console 3.x authentication ot the web console can be externally supported with a WebConsoleSecurityProvider service.
This service provides an authenticate method taking a user name and password and returning any non-null object on success. The consequence of this simple interface is, that this only supports HTTP Basic authentication.
If one wants to support other credential transports, e.g. Sling's Form Based Authentication, this simple interface won't help.
I propose to created a new WebConsoleSecurityProvider2 interface extending WebConsoleSecurityProvider and defining a new method authenticate(HttpServletRequest, HttpServletResponse) returning a boolean indicating success or failure. This method will directly be called from the HttpContext.handledSecurity(HttpServletRequest, HttpServletResponse) method and has to take care to properly implement authentication including setting the request attributes required by the OSGi Http Service Spec.