This section describes the framework provided by Sling to authenticate HTTP requests.
Let's look at generic request processing of Sling: Sling is linked into the outside world by registering the Sling Main Servlet – implemented by the
SlingMainServlet class in the Sling Engine bundle – with an OSGi
HttpService. This registration is accompanied with an implementation instance of the OSGi
HttpContext interface, which defines a method to authenticate requests:
This method is called by the OSGi HTTP Service implementation after the servlet has been selected to handle the request but before actually calling the servlet's
- First the OSGi HTTP Service implementation is analyzing the request URL to find a match for a servlet or resource registered with the HTTP Service.
- Now the HTTP Service implementation has to call the
handleSecuritymethod of the
HttpContextobject with which the servlet or resource has been registered. This method returns
trueif the request should be serviced. If this method returns
falsethe HTTP Service implementation terminates the request sending back any response which has been prepared by the
handleSecuritymethod. Note, that the
handleSecuritymethod must prepare the failure response sent to the client, the HTTP Service adds nothing here. If the
handleSecuritymethod is successful, it must add two (or three) request attributes described below.
- When the
truethe HTTP Service either calls the
Servlet.servicemethod or sends back the requested resource depending on whether a servlet or a resource has been selected in the first step.
The important thing to note here is, that at the time the
handleSecurity method is called, the
SlingMainServlet is not yet in control of the request. So any functionality added by the
SlingMainServlet, notably the
SlingHttpServletResponse objects are not available to the implementation of the
The following pages describe the full details of request authentication in Sling in full detail: