[jira] [Created] (SLING-5016) SlingWebConsoleSecurityProvider2 does not work if ResourceResolver cannot be adapted to Session

Fri, 11 Sep 2015 01:59:59 -0700 

Konrad Windszus created SLING-5016:
--------------------------------------

             Summary: SlingWebConsoleSecurityProvider2 does not work if 
ResourceResolver cannot be adapted to Session
                 Key: SLING-5016
                 URL: https://issues.apache.org/jira/browse/SLING-5016
             Project: Sling
          Issue Type: Bug
          Components: Extensions
    Affects Versions: Web Console Security Provider 1.1.6
            Reporter: Konrad Windszus


After the deployment of several configurations (affecting for example the JCR 
Resource Resolver Factory) we ran into the issue that the 
{{SlingWebConsoleSecurityProvider2}} is active but it always returned a 401. 
The according log from the {{SlingAuthenticator}} for this failed 
authentication to the web console looks like this
{code}
11.09.2015 09:52:14.371 *DEBUG* [qtp851550369-82] 
org.apache.sling.auth.core.impl.SlingAuthenticator doHandleSecurity: Trying to 
get a session for admin
11.09.2015 09:52:14.372 *DEBUG* [qtp851550369-82] 
org.apache.sling.auth.core.impl.SlingAuthenticator setAttributes: 
ResourceResolver stored as request attribute: user=admin
11.09.2015 09:52:14.372 *DEBUG* [qtp851550369-82] 
org.apache.sling.auth.core.impl.SlingAuthenticator login: requesting 
authentication using handler: 
com.adobe.cq.creativecloud.cloudims.impl.auth.CloudIMSAuthenticationHandler@47a78ad3
11.09.2015 09:52:14.372 *DEBUG* [qtp851550369-82] 
org.apache.sling.auth.core.impl.SlingAuthenticator login: requesting 
authentication using handler: com.day.cq.auth.impl.LoginSelectorHandler@76a68a34
11.09.2015 09:52:14.372 *DEBUG* [qtp851550369-82] 
org.apache.sling.auth.core.impl.SlingAuthenticator login: requesting 
authentication using handler: 
com.adobe.granite.auth.cert.impl.ClientCertAuthHandler@7fad0b6d
11.09.2015 09:52:14.372 *DEBUG* [qtp851550369-82] 
org.apache.sling.auth.core.impl.SlingAuthenticator login: requesting 
authentication using handler: Token Authentication Handler
11.09.2015 09:52:14.372 *DEBUG* [qtp851550369-82] 
org.apache.sling.auth.core.impl.SlingAuthenticator login: requesting 
authentication using handler: 
com.adobe.cq.dam.s7imaging.impl.auth.MemoryTokenAuthHandler@4bdc6939
11.09.2015 09:52:14.878 *DEBUG* [qtp851550369-81] 
org.apache.sling.auth.core.impl.SlingAuthenticator doHandleSecurity: Trying to 
get a session for admin
{code}

>From these logs and from looking at the sources I assume the following happens 
>here:

#  {{SlingWebConsoleSecurityProvider2.authenticate}} calls 
{{Authenticator.handleSecurity}} (which returns true)
# {{SlingWebConsoleSecurityProvider2.authenticate}} tries to adapt resource 
resolver to session -> this fails and therefore {{Authenticator.login}} is 
called

IMHO the SlingWebConsoleSecurityProvider2 should only be registered if the 
adaptation from resource resolver to session works. I am not sure under which 
circumstances this may fail, but if this fails the whole security provider 
should be inactive!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to