Hi all, Stipulated by the Servlet API specification saying, that FORM based authentication should use request URLs ending with /j_security_check with request parameters j_username and j_password, most of the Sling Authentication Handlers involving some form of FORM based authentication (for example the Form Based Authentication Handler or the OpenID Authentication Handler), actually use this form of request URLs.
Likewise these authentication handlers also generally require the POST request method to be used. Sometimes, though an Authentication Handler might be misbehaving or by some other fact of dynamic life a .../j_security_check POST request might not be handled by the authentication system and fall through to some POST servlet, e.g. the Sling POST Servlet. To prevent storing login data in the repository, I implemented a workaround as of SLING-2120 [1]. Yet, it still is a workaround. So I am contemplating the following change to the SlingAuthenticator.handleSecurity method: If the method would return with true (indicating regular request processing) but the request is POST to .../j_security_check, then the request should actually fail with a 403. Advantage: No inadverted hanlding of this request in the Sling processing pipeline Disadvantage: No POST request to any .../j_security_check URL will ever pass through Sling's Authentication mechanism WDYT ? Regards Felix [1] https://issues.apache.org/jira/browse/SLING-2120
