Autenticating against multiple LDAP server, depending on which path a user tries to access








I have a requirement to authenticate a user against different LDAP server, depending on which path of the AEM site he is trying to access. For example

/content/app/internal - Should be authenticated against Active Directory

/content/app/external - Should be authenticated against a separate Apache LDAP

Initially my solution was simply to create two configurations for login, each with its own SyncHandler, IDP and External Login module. Using JCR permissions, we make sure that users from the external LDAP don't have access to the internal pages (and vice-versa).

This works reasonably well, since AEM simply tries all the different configs until the user is successfully authenticated. Once authenticated, the user is then redirected onwards to where he was going.

The problem with such an implementation is that there are some edge-cases where the user sees unwanted error pages even though he thinks he is logged in.

So what I want to do is the limit which login module is used based on which path the user is trying to access. Based on these posts, it seems like I need to create a custom authentication handler:

However, I haven't yet been able to find clear guidance about how to go about doing that. At the moment I've resolved to hacking one together from what I can get from the Sling GitHub repo, but it's not working yet.

So I have two questions:

  • Is the custom AuthenticationHandler appropriate for my requirement?
  • (and if so) Is there any guidance about how to build one from scratch.

Hope someone can help.