[
https://issues.apache.org/jira/browse/SLING-5483?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Carsten Ziegeler resolved SLING-5483.
-------------------------------------
Resolution: Fixed
Fixed in
https://github.com/apache/sling-org-apache-sling-auth-core/commit/c4f4deffe0590646562d47a7c52b4490859a74ed
> Unauthenticated request: getUserPrincipal() doesn't return null for
> auth.annonymous=true
> ----------------------------------------------------------------------------------------
>
> Key: SLING-5483
> URL: https://issues.apache.org/jira/browse/SLING-5483
> Project: Sling
> Issue Type: Bug
> Components: Authentication, Engine
> Reporter: Angela Schreiber
> Assignee: Carsten Ziegeler
> Priority: Major
> Fix For: Auth Core 1.5.0
>
>
> The javadoc for {{HttpServletRequest.getUserPrincipal()}} states the
> following for an unauthenticated request:
> {quote}
> If the user has not been authenticated, the method returns <code>null</code>.
> {quote}
> With the request implementation present with Sling this is {{true}} as long
> as the property {{auth.annonymous}} is disabled in the {{Authenticator}}.
> Allowing for anonymous access by default in the Sling {{Authenticator}}
> however will change the behavior of this method to return a non-null
> principal (by default: 'anonymous')
> Surprisingly, {{HttpServletRequest.getAuthType()}} behaves as documented in
> the Javadoc (basically stating the same) irrespective of the
> {{auth.annonymous}} flag (i.e. always returning {{null}} for un-authenticated
> access).
> Without being too familiar with the internals of the {{HttpServletRequest}}
> implementation in Sling I got the impression that the reason for this issue
> is due to the behavior in the {{Authenticator}} and how the corresponding
> properties (i.e. userprincipal and authtype) are passed to the request ->
> setting components accordingly. Please adjust if needed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
