Hi, For the SLING-5135 I had to remove the code marked with "THIS IS NOW REMOVED" below, in CommonResourceResolverFactoryImpl, is that ok with whoever wrote that code (Carsten as per the history)?
if ( passedAuthenticationInfo != null ) { authenticationInfo.putAll(passedAuthenticationInfo); // make sure there is no leaking of service bundle and info props authenticationInfo.remove(ResourceProvider.AUTH_SERVICE_BUNDLE); // THIS IS NOW REMOVED authenticationInfo.remove(SUBSERVICE); } It's needed to pass the calling bundle down to JcrProviderStateFactory which calls loginAdministrative and needs to check the whitelisting of that bundle first. Details at https://github.com/bdelacretaz/sling/commit/fe8f9559bda6ba5a05c01bba6a85e640fb8ac143 - that's not committed yet, just in my private branch so far. -Bertrand