Hi Mike, Thanks for starting the discussion (and please revert the SLING-1817 changes for now as they break our integration tests).
On Tue, Oct 5, 2010 at 10:44 AM, Mike Müller <[email protected]> wrote: > ...As of the discussion in [1] I like to start a new discussion > about whether to disable or enable Basic Auth per default. > The initial reason to disable it, were the problems appeared > in the Sling Explorer after logging in under /system/console > with Basic Auth (SLING-1765 [2])... So my understanding is that's a Sling Explorer problem, what prevents it from being fixed there? > > With Basic Auth on we've got serveral issues in the browsers: > - Some browsers pass credentials even on parent paths > where credentials should not be sent.... IIUC forcing login to happen on / would fix that, or not? > ...With other clients than browsers these issues doesn't exist.... But disabling basic auth will cause those clients (curl, our integration tests, our docs and examples, Sakai's extensive suite of tests) to fail, so I don't think that's an option. -Bertrand
