[
https://issues.apache.org/jira/browse/SLING-1400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12914628#action_12914628
]
Felix Meschberger commented on SLING-1400:
------------------------------------------
Implemented an alternate solution derived from
http://codereview.appspot.com/2252043 in Rev. 1001056
The new method isBrowserRequest called from doLogin checks for the presence of
the Accept header. If the header is present a browser request is assumed. The
reason for only checking the browser is, that some AJAX requests in fact just
send */* for the value of the header, which of course would fail the check for
text/html.
If the request is assume to not be a browser request and the HTTP
AuthenticationHandler is enabled at least for preemptive operation (or fully
enabled) a 401/UNAUTHORIZED status is returned. If the HTTP Authentication
Handler is disabled, 403/FORBIDDEN response is returned assuming simple
authentication is not possible for this non-browser client.
> OPTIONS request on / returns login form if "Allow Anonymous Access" set to
> false
> --------------------------------------------------------------------------------
>
> Key: SLING-1400
> URL: https://issues.apache.org/jira/browse/SLING-1400
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Reporter: Bertrand Delacretaz
> Priority: Minor
>
> If "Allow Anonymous Access" is true (that's the default default) in
> theorg.apache.sling.engine.impl.auth.SlingAuthenticator config, curl -X
> OPTIONS http://localhost:8888/ correctly returns a 401 status.
> If the setting is false, the same request returns 200 and the login form.
> Not sure if that's really a problem, but I thought I'd report it as it caused
> the WebDAV mount on / to become unusable with samples that recommend setting
> that parameter to false. I'll change the samples to use
> sling:authRequestLogin=true instead.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
