On Tuesday, February 28, 2017 11:50 AM, John Logan <john.lo...@texture.com> wrote: > On Tuesday, February 28, 2017 6:33 AM, Bertrand Delacretaz > <bdelacre...@apache.org> wrote: [snip] > > AFAIK it's the AuthUtil.isBrowserRequest method [1] that makes this > > decision. [snip] > > I suppose that a minimally invasive approach would be to modify the > isBrowserRequest() method to detect a custom header that has priority > over the user agent test. Adding a header to an AJAX request would be > much cleaner than modifying the User-Agent header in the browser > navigator object. Is that something that would be best discussed in > a JIRA request rather than here?
I looked at the SlingAuthenticator class, which is what invokes isBrowserRequest(), and found my answer. The SlingAuthenticator.doLogin() method first calls AuthUtil.isBrowserRequest(), and if the return value is true, then calls AuthUtil.isAjaxRequest(). This method returns true if the following header is present: X-Requested-With: XMLHttpRequest When I perform a curl with a stale cookie and the above header, I get a 403 FORBIDDEN instead of a redirect. This gets me what I need. One finer point is that I would have expected a 401 UNAUTHORIZED in this case (which is what the form-based authenticator gives with j_validate=true). Thanks again for your help! John