On Nov 9, 2011, at 00:59 , Justin Edelson wrote: > It seems pretty clear that we need to allow anonymous access to the > DavEx servlet even if anonymous access is prohibited in the > Authenticator configuration. Created > https://issues.apache.org/jira/browse/SLING-2274 for that. thanks.
i would even go so far and not use the sling authenticator at all, and just use the webdav servlet as is. regards, toby > > Justin > > On Tue, Nov 8, 2011 at 1:51 PM, Tobias Bocanegra <[email protected]> wrote: >> hi, >> it actually depends on the missing-auth-mapping, in the jackrabbit web app >> it worked like this: >> >> missing-auth-mapping = "" [which is different from param missing] >> >> 1) user with full read access >> ------------------------------------------------------------------------ >> >> GET >> http://localhost:8080/crx/server >> >> -> 200 : list of child resources (workspace resources) >> >> GET >> http://localhost:8080/crx/server/crx.default >> >> -> 200 : list of child resources (root node) >> >> GET >> http://localhost:8080/crx/server/crx.default/jcr:root >> >> -> 200 : serialization of root node >> >> >> 2) unauthenticated (where everyone has no read permission on /) >> ------------------------------------------------------------------------ >> >> GET >> http://localhost:8080/crx/server >> >> -> 200 : list of child resources (workspace resources) >> >> GET >> http://localhost:8080/crx/server/crx.default >> >> -> 200 : list of child resources (empty in this case) >> >> GET >> http://localhost:8080/crx/server/crx.default/jcr:root >> >> -> 404 : due to the fact that anonymous/unauthenticated user >> has no read permission and with the missing-auth-config >> specified above preemtive auth is expected. >> >> regards, toby >> >> On Nov 8, 2011, at 22:30 , Felix Meschberger wrote: >> >>> Hi, >>> >>> If I read the code correctly, it looks like out of the box the >>> JackrabbitWebdavServerServlet does HTTP Basic authentication provided the >>> client provides it but a 401/UNAUTHORIZED response is never sent. Thus >>> authentication seems to be assumed "preemptive". >>> >>> I think this case rolling back the SLING-2167 changes and thus not using >>> the Sling authenticator might be an ok solution. >>> >>> WDYT ? >>> >>> Regards >>> Felix >>> >>> Am 08.11.2011 um 20:39 schrieb Carsten Ziegeler (Reopened) (JIRA): >>> >>>> >>>> [ >>>> https://issues.apache.org/jira/browse/SLING-2167?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel >>>> ] >>>> >>>> Carsten Ziegeler reopened SLING-2167: >>>> ------------------------------------- >>>> >>>> >>>> No I don't agree - davex might be used by applications running in the >>>> browser. >>>> In these cases the auth must be shared between the application which is >>>> provided by html and davex >>>> >>>>> Use Sling Authenticator >>>>> ----------------------- >>>>> >>>>> Key: SLING-2167 >>>>> URL: https://issues.apache.org/jira/browse/SLING-2167 >>>>> Project: Sling >>>>> Issue Type: Improvement >>>>> Components: JCR >>>>> Affects Versions: JCR DavEx 1.0.0 >>>>> Reporter: Carsten Ziegeler >>>>> Assignee: Carsten Ziegeler >>>>> Fix For: JCR DavEx 1.1.0 >>>>> >>>>> >>>>> The davex support should use the SlingAuthenticator for better >>>>> integration into the Sling authentication >>>> >>>> -- >>>> This message is automatically generated by JIRA. >>>> If you think it was sent incorrectly, please contact your JIRA >>>> administrators: >>>> https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa >>>> For more information on JIRA, see: http://www.atlassian.com/software/jira >>>> >>>> >>> >> >>
