[ https://issues.apache.org/jira/browse/SLING-2084?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antonio Sanso resolved SLING-2084. ---------------------------------- Resolution: Invalid Close as invalid. Problem is client related as curl -u admin:admin http://localhost:4602/content/a.xml gives back <html>This page moved to <a href=" /content/a.xml/">here</a></html> and curl -IL -u admin:admin http://localhost:4602/content/a.xml HTTP/1.1 302 Moved Temporarily Connection: Keep-Alive Server: Day-Servlet-Engine/4.1.12 Content-Type: text/html Date: Wed, 27 Jul 2011 07:38:22 GMT Transfer-Encoding: chunked Location: /content/a.xml/ HTTP/1.1 200 OK Connection: Keep-Alive Server: Day-Servlet-Engine/4.1.12 Content-Type: text/html;charset=utf-8 Date: Wed, 27 Jul 2011 07:38:22 GMT Transfer-Encoding: chunked The common http client seems to invalidate the authentication right before the authentication > StreamRendererServlet ignores authentication on redirect > -------------------------------------------------------- > > Key: SLING-2084 > URL: https://issues.apache.org/jira/browse/SLING-2084 > Project: Sling > Issue Type: Bug > Components: Authentication, Servlets > Affects Versions: Servlets Get 2.1.2 > Reporter: Antonio Sanso > Priority: Minor > Attachments: TestUnstructuredNode.java > > > Use case: > - create a nt:unstructured node e.g. /content/a.xml > - execute the java class in attachment (TestUnstructuredNode.java). Output > from the class ==> status 404 > log excerpt > 17.05.2011 14:06:42.391 *DEBUG* [127.0.0.1 [1305634002391] GET /content/a.xml > HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleSecurity: > Trying to get a session for admin > 17.05.2011 14:06:42.393 *DEBUG* [127.0.0.1 [1305634002391] GET /content/a.xml > HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator setAttributes: > ResourceResolver stored as request attribute: user=admin > 17.05.2011 14:06:42.404 *DEBUG* [127.0.0.1 [1305634002404] GET > /content/a.xml/ HTTP/1.1] > org.apache.sling.auth.core.impl.HttpBasicAuthenticationHandler > forceAuthentication: Not forcing authentication because request parameter > sling:authRequestLogin is not set > 17.05.2011 14:06:42.404 *DEBUG* [127.0.0.1 [1305634002404] GET > /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator > getAuthenticationInfo: no handler could extract credentials > 17.05.2011 14:06:42.404 *DEBUG* [127.0.0.1 [1305634002404] GET > /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator > handleSecurity: No credentials in the request, anonymous > 17.05.2011 14:06:42.406 *DEBUG* [127.0.0.1 [1305634002404] GET > /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator > setAttributes: ResourceResolver stored as request attribute: user=anonymous > - Disable/Uncheck "Allow Anonymous Access" in the > org.apache.sling.engine.impl.auth.SlingAuthenticator configuration > - execute the java class in attachment. Output from the class ==> May 17, > 2011 2:09:30 PM org.apache.commons.httpclient.auth.AuthChallengeProcessor > selectAuthScheme > INFO: basic authentication scheme selected > Status 200 > log excerpt > 17.05.2011 14:09:30.570 *DEBUG* [127.0.0.1 [1305634170570] GET /content/a.xml > HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleSecurity: > Trying to get a session for admin > 17.05.2011 14:09:30.572 *DEBUG* [127.0.0.1 [1305634170570] GET /content/a.xml > HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator setAttributes: > ResourceResolver stored as request attribute: user=admin > 17.05.2011 14:09:30.583 *DEBUG* [127.0.0.1 [1305634170582] GET > /content/a.xml/ HTTP/1.1] > org.apache.sling.auth.core.impl.HttpBasicAuthenticationHandler > forceAuthentication: Not forcing authentication because request parameter > sling:authRequestLogin is not set > 17.05.2011 14:09:30.583 *DEBUG* [127.0.0.1 [1305634170582] GET > /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator > getAuthenticationInfo: no handler could extract credentials > 17.05.2011 14:09:30.583 *DEBUG* [127.0.0.1 [1305634170582] GET > /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator > handleSecurity: No credentials in the request, anonymous > 17.05.2011 14:09:30.583 *INFO* [127.0.0.1 [1305634170582] GET /content/a.xml/ > HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator > getAnonymousSession: Anonymous access not allowed by configuration - > requesting credentials > 17.05.2011 14:09:30.678 *DEBUG* [127.0.0.1 [1305634170677] GET > /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator > handleSecurity: Trying to get a session for admin > 17.05.2011 14:09:30.680 *DEBUG* [127.0.0.1 [1305634170677] GET > /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator > setAttributes: ResourceResolver stored as request attribute: user=admin > The behavior is clearly inconsistent. The nt:unstructured node is rendered > from the StreamRendererServlet class that does a redirect (not forcing > authentication) and inducing the second request to use the anonymous user. > Adding ?sling:authRequestLogin=1 parameter to the StreamRendererServlet > redirect would solve the issue but it is not a clean solution (I am looking > for a better one and I might attach a patch file). -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira