authentication is not performed using the filter. authentication is performed before filter processing.
as soon as the request arrives, the OSGi HttpService calls the handleSecurity HttpContext associated with the servlet / resource. In the case of Sling, this calls SlingMainServlet .handleSecurity, which calls SlingAuthenticator.authentication.
SlingAuthenticator selects the authenticationHandler for the request and forwards the authentication call.
Authentication handler
implements the extractCredentials method, which (based on an authentication scheme, such as authentication based on authorization, session based authentication or cookie based authentication) is responsible for reading credentials from cookies (or a header or session).
After successful authentication, it will return AuthenticationInfo if authentication fails or an anonymous session is received (if anonymous is allowed for each configuration) or the requestCredentials method, which will visualize (or redirect) the login form. after executing handleSecurity, executing the HttpService will either terminate the request (if handleSecurity returns false) or call SlingMainServlet.service , which will be the entry point for processing Sling requests.
After that, query level filters will be processed. see https://sling.apache.org/documentation/the-sling-engine/filters.html
awd
source share