[jira] [Commented] (SLING-6053) SlingAuthenticator identifies wrong sibling node with AuthenticationInfo

Wed, 14 Sep 2016 04:33:50 -0700 

    [ 
https://issues.apache.org/jira/browse/SLING-6053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15490193#comment-15490193
 ] 

Konrad Windszus commented on SLING-6053:
----------------------------------------

I am not sure this is the correct patch. You also have to take into account 
selectors and extensions. As I have said in 
https://issues.apache.org/jira/browse/SLING-4701?focusedCommentId=14987147&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14987147
 any changes here would be backwards incompatible. Please check the 
documentation in 
https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html#anonymous-login
 about the format. It now explicitly says:

bq. The requests path (HttpServletRequest.getServletPath() + 
HttpServletRequest.getPathInfo()) is afterwards matched against the given 
paths. It matches if it starts with one of the given paths.

Your patch would modify that logic. I am not 100% sure the old way really is 
the best approach and which cases are more common. But in fact we only compare 
against request paths and a startsWith matching makes sense, if you want to 
consider all the different selectors. When we would apply your patch the 
documentation for sure needs to be updated as well, because it no longer is a 
{{startsWith}} semantic.

> SlingAuthenticator identifies wrong sibling node with AuthenticationInfo
> ------------------------------------------------------------------------
>
>                 Key: SLING-6053
>                 URL: https://issues.apache.org/jira/browse/SLING-6053
>             Project: Sling
>          Issue Type: Bug
>          Components: Authentication
>    Affects Versions: Auth Core 1.3.18
>            Reporter: Miklos Csere
>
> Issue can be reproduced with the following steps:
>     Create node "/page" 
>     Create sibling node "/page1"
>     Define a protection handler for node: "/page"
> Expected: 
>             "/page" has AuthenticationInfo
>              "/page1" does not have AuthenticationInfo (has anonymous)
>   
> Actual:  "/page" & "page1" are both having AuthenticationInfo
>      
> Reason: SlingAuthenticator.java line 726:  if (path.startsWith(holder.path)) 
> Warning: The same check is used in 4 more places in code with similar 
> behaviour.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to