Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Authentication handler using remember me

dhawanmayur
Level 2
Level 2

Hi All,

My question is related to custom authentication handler . I want to test the code at https://github.com/davidjgonzalez/com.activecq.samples/blob/master/core/src/main/java/com/activecq/s... . However, I am unable to make the code call requestCredentials method. When the code would be able to call the requestCredentials method , it would be able to set the remember me routine in the request object. So, my questions are:

1. How to make Sling call the requestCredentials method

2. What configuration needs to be done at CQ level if its needed.

3. What is the significance of authType property in any authentication handler.

 

Thanks in advance.

dhawanmayur

0 Replies
davidjgonzalezz
Employee
Employee

Hi,

To test out the RememberMeAuthenticationHandler you need to run it in conjunction with the Sample "TokenSlingAuthenticationHandler" [1] (see lines 135-139)

The way it works is the "TokenSlingAuthenticationHandler (and all other registered auth handlers) will fail in their authentication of the "normal" provided credentials (form params, etc.). When an auth handler in the stacks returns a FAIL state, it kicks the request back out to the sling auth stack but this time down the request credentials chain. In this case, the the RememberMe auth handler sits on top of the stack, checks for the existence of a valid remember me token, and then "reboots" the auth process via the sling.forward (which will send it back through the extract credentials). All of this requires you to be able to issue and validate a Remember Me token (cookie) which the samples do not do.

@justin_at_adobe may have an alternative approach to this.

1. This is handled by Sling; when extract credentials fails auth or the full stack is exhausted (returning null) and the resource is protected.

2. The code is very broad strokes. You would need to build all your specifics on top of it. the key part is creating, securing and validating the remember token. You could look to a back-end system or HMACSHAing some time-based value into a cookie. Typically your security team will want to weigh in on this.

3. IIRC authType lets you target a specific Auth handler's requestCredentials from extractCredentials() or authFailed()/authSucceeded()

[1] https://github.com/davidjgonzalez/com.activecq.samples/blob/master/core/src/main/java/com/activecq/s...

dhawanmayur
Level 2
Level 2

Thanks David for the response.

I have few queries as:

This is handled by Sling; when extract credentials fails auth or the full stack is exhausted (returning null) and the resource is protected.

>> Can you elaborate what do we mean by resource is protected.

>> Can a single authhandler act like a normal auth handler and the remember me auth handler ?

>> What is IIRC authType and how can I target requestCredentials from extractCredentials ? Will you be able to share sample code ?

 

I am very new to adobe Cq , some of these questions may be very basic to you.

Thanks in advance