It seems pretty clear that we need to allow anonymous access to the DavEx servlet even if anonymous access is prohibited in the Authenticator configuration. Created https://issues.apache.org/jira/browse/SLING-2274 for that.
Justin On Tue, Nov 8, 2011 at 1:51 PM, Tobias Bocanegra <[email protected]> wrote: > hi, > it actually depends on the missing-auth-mapping, in the jackrabbit web app it > worked like this: > > missing-auth-mapping = "" [which is different from param missing] > > 1) user with full read access > ------------------------------------------------------------------------ > > GET > http://localhost:8080/crx/server > > -> 200 : list of child resources (workspace resources) > > GET > http://localhost:8080/crx/server/crx.default > > -> 200 : list of child resources (root node) > > GET > http://localhost:8080/crx/server/crx.default/jcr:root > > -> 200 : serialization of root node > > > 2) unauthenticated (where everyone has no read permission on /) > ------------------------------------------------------------------------ > > GET > http://localhost:8080/crx/server > > -> 200 : list of child resources (workspace resources) > > GET > http://localhost:8080/crx/server/crx.default > > -> 200 : list of child resources (empty in this case) > > GET > http://localhost:8080/crx/server/crx.default/jcr:root > > -> 404 : due to the fact that anonymous/unauthenticated user > has no read permission and with the missing-auth-config > specified above preemtive auth is expected. > > regards, toby > > On Nov 8, 2011, at 22:30 , Felix Meschberger wrote: > >> Hi, >> >> If I read the code correctly, it looks like out of the box the >> JackrabbitWebdavServerServlet does HTTP Basic authentication provided the >> client provides it but a 401/UNAUTHORIZED response is never sent. Thus >> authentication seems to be assumed "preemptive". >> >> I think this case rolling back the SLING-2167 changes and thus not using the >> Sling authenticator might be an ok solution. >> >> WDYT ? >> >> Regards >> Felix >> >> Am 08.11.2011 um 20:39 schrieb Carsten Ziegeler (Reopened) (JIRA): >> >>> >>> [ >>> https://issues.apache.org/jira/browse/SLING-2167?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel >>> ] >>> >>> Carsten Ziegeler reopened SLING-2167: >>> ------------------------------------- >>> >>> >>> No I don't agree - davex might be used by applications running in the >>> browser. >>> In these cases the auth must be shared between the application which is >>> provided by html and davex >>> >>>> Use Sling Authenticator >>>> ----------------------- >>>> >>>> Key: SLING-2167 >>>> URL: https://issues.apache.org/jira/browse/SLING-2167 >>>> Project: Sling >>>> Issue Type: Improvement >>>> Components: JCR >>>> Affects Versions: JCR DavEx 1.0.0 >>>> Reporter: Carsten Ziegeler >>>> Assignee: Carsten Ziegeler >>>> Fix For: JCR DavEx 1.1.0 >>>> >>>> >>>> The davex support should use the SlingAuthenticator for better integration >>>> into the Sling authentication >>> >>> -- >>> This message is automatically generated by JIRA. >>> If you think it was sent incorrectly, please contact your JIRA >>> administrators: >>> https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa >>> For more information on JIRA, see: http://www.atlassian.com/software/jira >>> >>> >> > >
