Lars Krapf created SLING-4701:
---------------------------------
Summary: SlingAuthenticator.isAnonAllowed matches for all paths
starting with the same characters
Key: SLING-4701
URL: https://issues.apache.org/jira/browse/SLING-4701
Project: Sling
Issue Type: Bug
Components: Authentication
Affects Versions: Auth Core 1.3.6
Reporter: Lars Krapf
The SlingAuthenticator check if anonymous access is allowed compares paths with
String.startsWith. If the holder.path does not end with a '/' it will
erroneously match a different path that starts with the same characters, even
if it is not a descendant of the first path.
Example:
- Allow anonymous acces on '/'
- Deny anonymous access on a path '/blubb'
-> Authentication is enforced on a request to '/blubb-blah' - which is wrong.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
