hi Lars, thanks a lot for your mail.
FWIW this was already discussed in https://issues.apache.org/jira/browse/SLING-6394 regards antonio On Sep 21, 2017, at 10:39 AM, Lars Krapf <[email protected]> wrote: > Hello list > > IIUC the Sling Authenticator chooses an authentication handler based on > the request path, and *not* on the mapped path. > > So (please correct me if I'm wrong), it seems not possible to have two > different internalRedirects from domain-names to sub-paths, which are > covered by two different authentication handlers. > > E.g. > > + /etc/map/http/bla.4502 > - sling:internalRedirect = /content/bla > + /etc/map/http/fasel.4502 > - sling:internalRedirect = /content/fasel > > with two different authentication handlers, one registered for > /content/bla and one for /content/fasel is *not* possible, correct? > > Now, two questions > > a) what is the reasoning behind having the authenticator select handlers > *before* the mapping > b) is it possible to make this work somehow? > > Also, to me, this slightly smells of a privilege escalation. > Say I have write access to /etc/map, I will be able to change > authentication handlers for an arbitrary sub-pat, potentially disabling > authentication altogether (by mapping a path without authentication > requirements to the target path). Of course, in most cases this will not > achieve anything, because you still won't have access to the resources, > but it does seem a little "shady" at least. No? > > > Thanks for your thoughts > Lars
