[
https://issues.apache.org/jira/browse/SLING-2266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger resolved SLING-2266.
--------------------------------------
Resolution: Fixed
Implemented in Rev. 1198738
By default requests whose request URI ends with "/j_security_check" are never
passed through by the SlingAuthenticator.
Authentication handlers are intended to handle such requests either by
redirecting the client or by failing the request and returning false such that
the handleSecurity method also returns false.
In case of a missing authentication handler or a misbehaving authentication
handler such requests may pass through (e.g. by assuming an anonymous request)
and cause irritations. Here the new functionality will catch such
false-positives and terminate the request with a 403/FORBIDDEN status.
> Don't pass requests intended to be handled and terminated by Authentication
> Handlers
> ------------------------------------------------------------------------------------
>
> Key: SLING-2266
> URL: https://issues.apache.org/jira/browse/SLING-2266
> Project: Sling
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Auth Core 1.0.6
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Auth Core 1.0.8
>
>
> As discussed on the mailing list [1] the Sling Authenticator should not pass
> requests which are intended to be handled by Authentication Handlers and then
> terminated (either by an error or by redirecting the client).
> [1] http://markmail.org/message/ggsxgaigluwktjyv
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
