[jira] [Commented] (SLING-2074) Defining vanity path to target where user has no read permissions leads to redirect-loop

Sun, 17 Feb 2013 20:45:15 -0800 

    [ 
https://issues.apache.org/jira/browse/SLING-2074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13580408#comment-13580408
 ] 

Ian Boston commented on SLING-2074:
-----------------------------------

curl commands to reproduce
curl -Fjcr:mixinTypes=sling:VanityPath -Fsling:vanityPath=/mypathA 
-Fsling:vanityPath=/mypathB -Fsling:redirect=true 
http://admin:admin@localhost:8080/secret/test

Test both anon and admin on both paths is ok
curl -V http://admin:admin@localhost:8080/mypathA
curl -V http://admin:admin@localhost:8080/mypathB
curl -V http://localhost:8080/mypathA
curl -V http://localhost:8080/mypathA

All result in a 302 redirect

Make /secret/test private to admin
curl -FprincipalId=anonymous -Fprivilege@jcr:read=denied 
http://admin:admin@localhost:8080/secret/test.modifyAce.html
curl -FprincipalId=everyone -Fprivilege@jcr:read=denied 
http://admin:admin@localhost:8080/secret/test.modifyAce.html

verify
curl -V http://localhost:8080/secret/test
gives a 404


Redirects to http://localhost:8080/secret/test.html

curl -V http://localhost:8080/mypathA
curl -V http://localhost:8080/mypathA
Redirects to http://localhost:8080/secret/test.html

Change to internal redirect
curl  -Fsling:redirect=false http://admin:admin@localhost:8080/secret/test

test
Test both anon and admin on both paths is ok
curl -V http://admin:admin@localhost:8080/mypathA
curl -V http://admin:admin@localhost:8080/mypathB
Content returned


curl -V http://localhost:8080/mypathA
curl -V http://localhost:8080/mypathA
404 returned


AFAICT this is all worked as expected at r1446551

The redirect loop you are seeing might have been caused by something cached in 
the browser since Sling doesnt return a redirect on /secret/test or a redirect 
on /test to /test.html infinitely.

                
> Defining vanity path to target where user has no read permissions leads to 
> redirect-loop
> ----------------------------------------------------------------------------------------
>
>                 Key: SLING-2074
>                 URL: https://issues.apache.org/jira/browse/SLING-2074
>             Project: Sling
>          Issue Type: Bug
>            Reporter: Tobias Bocanegra
>
> 1. create a resource the anonymous user has no read access. e.g. /secrect/test
> 2. define a vanity url: path="/test" redirect="true"
> 3. request "/test" as admin -> redirect works
> 4. request "/test" as anonymous -> redirects to /test.html -> redirects to 
> /test.html

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to