[
https://issues.apache.org/jira/browse/SLING-2084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13071584#comment-13071584
]
Antonio Sanso edited comment on SLING-2084 at 7/27/11 7:43 AM:
---------------------------------------------------------------
Close as invalid. Problem is client related as
curl -u admin:admin http://localhost:4602/content/a.xml
gives back
<html>This page moved to <a href="
/content/a.xml/">here</a></html>
and curl -IL -u admin:admin http://localhost:4602/content/a.xml
HTTP/1.1 302 Moved Temporarily
Connection: Keep-Alive
Server: Day-Servlet-Engine/4.1.12
Content-Type: text/html
Date: Wed, 27 Jul 2011 07:38:22 GMT
Transfer-Encoding: chunked
Location: /content/a.xml/
HTTP/1.1 200 OK
Connection: Keep-Alive
Server: Day-Servlet-Engine/4.1.12
Content-Type: text/html;charset=utf-8
Date: Wed, 27 Jul 2011 07:38:22 GMT
Transfer-Encoding: chunked
The common http client seems to invalidate the authentication right before the
redirect
was (Author: asanso):
Close as invalid. Problem is client related as
curl -u admin:admin http://localhost:4602/content/a.xml
gives back
<html>This page moved to <a href="
/content/a.xml/">here</a></html>
and curl -IL -u admin:admin http://localhost:4602/content/a.xml
HTTP/1.1 302 Moved Temporarily
Connection: Keep-Alive
Server: Day-Servlet-Engine/4.1.12
Content-Type: text/html
Date: Wed, 27 Jul 2011 07:38:22 GMT
Transfer-Encoding: chunked
Location: /content/a.xml/
HTTP/1.1 200 OK
Connection: Keep-Alive
Server: Day-Servlet-Engine/4.1.12
Content-Type: text/html;charset=utf-8
Date: Wed, 27 Jul 2011 07:38:22 GMT
Transfer-Encoding: chunked
The common http client seems to invalidate the authentication right before the
authentication
> StreamRendererServlet ignores authentication on redirect
> --------------------------------------------------------
>
> Key: SLING-2084
> URL: https://issues.apache.org/jira/browse/SLING-2084
> Project: Sling
> Issue Type: Bug
> Components: Authentication, Servlets
> Affects Versions: Servlets Get 2.1.2
> Reporter: Antonio Sanso
> Priority: Minor
> Attachments: TestUnstructuredNode.java
>
>
> Use case:
> - create a nt:unstructured node e.g. /content/a.xml
> - execute the java class in attachment (TestUnstructuredNode.java). Output
> from the class ==> status 404
> log excerpt
> 17.05.2011 14:06:42.391 *DEBUG* [127.0.0.1 [1305634002391] GET /content/a.xml
> HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleSecurity:
> Trying to get a session for admin
> 17.05.2011 14:06:42.393 *DEBUG* [127.0.0.1 [1305634002391] GET /content/a.xml
> HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator setAttributes:
> ResourceResolver stored as request attribute: user=admin
> 17.05.2011 14:06:42.404 *DEBUG* [127.0.0.1 [1305634002404] GET
> /content/a.xml/ HTTP/1.1]
> org.apache.sling.auth.core.impl.HttpBasicAuthenticationHandler
> forceAuthentication: Not forcing authentication because request parameter
> sling:authRequestLogin is not set
> 17.05.2011 14:06:42.404 *DEBUG* [127.0.0.1 [1305634002404] GET
> /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator
> getAuthenticationInfo: no handler could extract credentials
> 17.05.2011 14:06:42.404 *DEBUG* [127.0.0.1 [1305634002404] GET
> /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator
> handleSecurity: No credentials in the request, anonymous
> 17.05.2011 14:06:42.406 *DEBUG* [127.0.0.1 [1305634002404] GET
> /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator
> setAttributes: ResourceResolver stored as request attribute: user=anonymous
> - Disable/Uncheck "Allow Anonymous Access" in the
> org.apache.sling.engine.impl.auth.SlingAuthenticator configuration
> - execute the java class in attachment. Output from the class ==> May 17,
> 2011 2:09:30 PM org.apache.commons.httpclient.auth.AuthChallengeProcessor
> selectAuthScheme
> INFO: basic authentication scheme selected
> Status 200
> log excerpt
> 17.05.2011 14:09:30.570 *DEBUG* [127.0.0.1 [1305634170570] GET /content/a.xml
> HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleSecurity:
> Trying to get a session for admin
> 17.05.2011 14:09:30.572 *DEBUG* [127.0.0.1 [1305634170570] GET /content/a.xml
> HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator setAttributes:
> ResourceResolver stored as request attribute: user=admin
> 17.05.2011 14:09:30.583 *DEBUG* [127.0.0.1 [1305634170582] GET
> /content/a.xml/ HTTP/1.1]
> org.apache.sling.auth.core.impl.HttpBasicAuthenticationHandler
> forceAuthentication: Not forcing authentication because request parameter
> sling:authRequestLogin is not set
> 17.05.2011 14:09:30.583 *DEBUG* [127.0.0.1 [1305634170582] GET
> /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator
> getAuthenticationInfo: no handler could extract credentials
> 17.05.2011 14:09:30.583 *DEBUG* [127.0.0.1 [1305634170582] GET
> /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator
> handleSecurity: No credentials in the request, anonymous
> 17.05.2011 14:09:30.583 *INFO* [127.0.0.1 [1305634170582] GET /content/a.xml/
> HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator
> getAnonymousSession: Anonymous access not allowed by configuration -
> requesting credentials
> 17.05.2011 14:09:30.678 *DEBUG* [127.0.0.1 [1305634170677] GET
> /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator
> handleSecurity: Trying to get a session for admin
> 17.05.2011 14:09:30.680 *DEBUG* [127.0.0.1 [1305634170677] GET
> /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator
> setAttributes: ResourceResolver stored as request attribute: user=admin
> The behavior is clearly inconsistent. The nt:unstructured node is rendered
> from the StreamRendererServlet class that does a redirect (not forcing
> authentication) and inducing the second request to use the anonymous user.
> Adding ?sling:authRequestLogin=1 parameter to the StreamRendererServlet
> redirect would solve the issue but it is not a clean solution (I am looking
> for a better one and I might attach a patch file).
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
