Prevent Login Request loop
--------------------------
Key: SLING-1831
URL: https://issues.apache.org/jira/browse/SLING-1831
Project: Sling
Issue Type: Improvement
Components: Authentication
Affects Versions: Auth Core 1.0.2
Reporter: Felix Meschberger
Assignee: Felix Meschberger
Fix For: Auth Core 1.0.4
Depending on AuthenticationHandler specifics it is conceivable that the Sling
Authenticator support may enter an endless redirect loop with the client.
Consider this:
#1 client provides wrong credentials (e.g. cookie, HTTP Basic authentication
header)
#2 authenticator decides to call AuthenticationHandler.requestCredentials
#3 authentication handler sends a redirect to the client
#4 client requests redirect target again providing wrong credentials
#5 authenticator decides to call AuthenticationHandler.requestCredentials
#6 continue with step #3
This loop should be broken in the authenticator: As soon as the authenticator
recognizes a (potential) redirect loop, the authentication handler should not
be called again but instead an immediate error response should be sent back.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
