[
https://issues.apache.org/jira/browse/SLING-4785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14577058#comment-14577058
]
Antonio Sanso commented on SLING-4785:
--------------------------------------
proposed patch
{code}
Index: src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
===================================================================
--- src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
(revision 1658921)
+++ src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
(working copy)
@@ -817,8 +817,13 @@
// now find a way to get credentials unless the feedback handler
// has committed a response to the client already
- if (!response.isCommitted()) {
- handleLoginFailure(request, response, authInfo.getUser(), re);
+ if (!response.isCommitted()) {
+ if (!getAnonymousResolver(request, response, new
AuthenticationInfo(null))) {
+ authInfo.setAuthType(null);
+ handleLoginFailure(request, response, authInfo.getUser(),
re);
+ } else {
+ return true;
+ }
}
}
{code}
> sling.auth.requirements is ignored on expired credentials
> ---------------------------------------------------------
>
> Key: SLING-4785
> URL: https://issues.apache.org/jira/browse/SLING-4785
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Reporter: Antonio Sanso
> Assignee: Antonio Sanso
>
> Let's assume the following scenario:
> A sling application has an sling.auth.requirements that contains
> {{-/content/noauthenticationrequired.html}}
> An user obtained a valid sling credentials that last 1 hour. The credentials
> is e.g. a token stored in the cookie.
> If the user try to hit
> {{localhost:8080/content/noauthenticationrequired.html}} with the expired
> crendentials (e.g. 2 hours after the authentication} the login page is shown.
> Expected behavior is instead the resource
> {{/content/noauthenticationrequired.html}} should be displayed.
> Patch to follow
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
