[Authentication] option to close session passed as "user.jcr.session"
one of the options in a Sling Authentication handler is to create the session itself and pass it via "user.jcr.session"  in the AuthenticationInfo. But this session is never closed automatically by Sling, forcing you to also write yet-another ServletFilter that closes the session at the end of the request, which is ugly.
So I am proposing a new option "user.jcr.session.close" that one can set which would close the session. The change would be simple: in  set logoutSession = true if this flag is present. IMO closing by default would make more sense, not sure if we can do that...
Passing an existing session is the most generic way to login for an auth handler, but due to the non-auto-closing, it's impractical.
Also, this is my current requirement, you can use Jackrabbit's TokenCredentials and verify attributes - these are added back to the credentials objects _after_ the login, which happens _after_ the authentication handler and all authentication post processors, so no chance for me to do some validation on them inside the auth handler. Unless I want to create an extra throw-away session just for the check - which is a waste to do for every single request.
> IIRC we have been discussing that before … Not sure what the resolution was and I actually was under impression we agreed to do it. Maybe it just fell off the trenches.
> Yes, I think a new constant
>> JcrResourceContstants.AUTHENTICATION_INFO_SESSION_LOGOUT = „user.jcr.session.logout“;
> Sounds reasonable. Type would be boolean (using PropertiesUtil.toBoolean) with a default value of false:
>> logoutSession = PropertiesUtil.toBoolean(
> WDYT ?
We currently have to use HttpServlets directly registered with the osgi HttpService (since we need to handle wildcard paths), i.e. not sling servlets, but we reuse the sling authenticator in handleSecurity.
This works fine with other, normal ways of logging in to the JCR using e.g. jackrabbit tokens, this problem only comes up with the user.jcr.session + logout approach.
The SlingAuthenticator.requestDestroyed method is called *after* the service method has been called and completed. I cannot reproduce your problem. Would you be able to provide some sample code which exhibits this issue ? Thanks.