StreamRendererServlet ignores authentication on redirect
--------------------------------------------------------
Key: SLING-2084
URL: https://issues.apache.org/jira/browse/SLING-2084
Project: Sling
Issue Type: Bug
Components: Authentication, Servlets
Affects Versions: Servlets Get 2.1.2
Reporter: Antonio Sanso
Priority: Minor
Use case:
- create a nt:unstructured node e.g. /content/a.xml
- execute the java class in attachment (TestUnstructuredNode.java). Output from
the class ==> status 404
log excerpt
17.05.2011 14:06:42.391 *DEBUG* [127.0.0.1 [1305634002391] GET /content/a.xml
HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleSecurity:
Trying to get a session for admin
17.05.2011 14:06:42.393 *DEBUG* [127.0.0.1 [1305634002391] GET /content/a.xml
HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator setAttributes:
ResourceResolver stored as request attribute: user=admin
17.05.2011 14:06:42.404 *DEBUG* [127.0.0.1 [1305634002404] GET /content/a.xml/
HTTP/1.1] org.apache.sling.auth.core.impl.HttpBasicAuthenticationHandler
forceAuthentication: Not forcing authentication because request parameter
sling:authRequestLogin is not set
17.05.2011 14:06:42.404 *DEBUG* [127.0.0.1 [1305634002404] GET /content/a.xml/
HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator
getAuthenticationInfo: no handler could extract credentials
17.05.2011 14:06:42.404 *DEBUG* [127.0.0.1 [1305634002404] GET /content/a.xml/
HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleSecurity: No
credentials in the request, anonymous
17.05.2011 14:06:42.406 *DEBUG* [127.0.0.1 [1305634002404] GET /content/a.xml/
HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator setAttributes:
ResourceResolver stored as request attribute: user=anonymous
- Disable/Uncheck "Allow Anonymous Access" in the
org.apache.sling.engine.impl.auth.SlingAuthenticator configuration
- execute the java class in attachment. Output from the class ==> May 17, 2011
2:09:30 PM org.apache.commons.httpclient.auth.AuthChallengeProcessor
selectAuthScheme
INFO: basic authentication scheme selected
Status 200
log excerpt
17.05.2011 14:09:30.570 *DEBUG* [127.0.0.1 [1305634170570] GET /content/a.xml
HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleSecurity:
Trying to get a session for admin
17.05.2011 14:09:30.572 *DEBUG* [127.0.0.1 [1305634170570] GET /content/a.xml
HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator setAttributes:
ResourceResolver stored as request attribute: user=admin
17.05.2011 14:09:30.583 *DEBUG* [127.0.0.1 [1305634170582] GET /content/a.xml/
HTTP/1.1] org.apache.sling.auth.core.impl.HttpBasicAuthenticationHandler
forceAuthentication: Not forcing authentication because request parameter
sling:authRequestLogin is not set
17.05.2011 14:09:30.583 *DEBUG* [127.0.0.1 [1305634170582] GET /content/a.xml/
HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator
getAuthenticationInfo: no handler could extract credentials
17.05.2011 14:09:30.583 *DEBUG* [127.0.0.1 [1305634170582] GET /content/a.xml/
HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleSecurity: No
credentials in the request, anonymous
17.05.2011 14:09:30.583 *INFO* [127.0.0.1 [1305634170582] GET /content/a.xml/
HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator
getAnonymousSession: Anonymous access not allowed by configuration - requesting
credentials
17.05.2011 14:09:30.678 *DEBUG* [127.0.0.1 [1305634170677] GET /content/a.xml/
HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleSecurity:
Trying to get a session for admin
17.05.2011 14:09:30.680 *DEBUG* [127.0.0.1 [1305634170677] GET /content/a.xml/
HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator setAttributes:
ResourceResolver stored as request attribute: user=admin
The behavior is clearly inconsistent. The nt:unstructured node is rendered from
the StreamRendererServlet class that does a redirect (not forcing
authentication) and inducing the second request to use the anonymous user.
Adding ?sling:authRequestLogin=1 parameter to the StreamRendererServlet
redirect would solve the issue but it is not a clean solution (I am looking for
a better one and I might attach a patch file).
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
