in src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java [504:548]
private boolean doHandleSecurity(HttpServletRequest request, HttpServletResponse response) {
// 0. Check for request attribute; set if not present
Object authUriSufficesAttr = request.getAttribute(AuthConstants.ATTR_REQUEST_AUTH_URI_SUFFIX);
if (authUriSufficesAttr == null && authUriSuffices != null) {
request.setAttribute(AuthConstants.ATTR_REQUEST_AUTH_URI_SUFFIX, authUriSuffices);
}
// 1. Ask all authentication handlers to try to extract credentials
final AuthenticationInfo authInfo = getAuthenticationInfo(request, response);
// 2. PostProcess credentials
try {
postProcess(authInfo, request, response);
} catch (LoginException e) {
postLoginFailedEvent(request, authInfo, e);
handleLoginFailure(request, response, authInfo, e);
return false;
}
// 3. Check Credentials
if (authInfo == AuthenticationInfo.DOING_AUTH) {
log.debug("doHandleSecurity: ongoing authentication in the handler");
return false;
} else if (authInfo == AuthenticationInfo.FAIL_AUTH) {
log.debug("doHandleSecurity: Credentials present but not valid, request authentication again");
AuthUtil.setLoginResourceAttribute(request, request.getRequestURI());
doLogin(request, response);
return false;
} else if (authInfo.getAuthType() == null) {
log.debug("doHandleSecurity: No credentials in the request, anonymous");
return getAnonymousResolver(request, response, authInfo);
} else {
log.debug("doHandleSecurity: Trying to get a session for {}", authInfo.getUser());
return getResolver(request, response, authInfo);
}
}