[
https://issues.apache.org/jira/browse/SLING-9622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17181857#comment-17181857
]
Angela Schreiber commented on SLING-9622:
-----------------------------------------
[~rombert], from my distant pov, i start to get the impression that we keep
working around a pretty fundamental issue within the resource resolution namely
{{ResourceResolver.resolve}} being (potentially) expensive because of a variety
of mapping features (alias, vanity-path and the etc-mapping entries). as far as
i understand so far these mapping features seem to overlap in their
functionality.
as a first workaround, we started registering alias-paths and vanity-paths as
authentication requirements and realized that this doesn't work for nested
vanity paths. for those nested vanity-paths we considered adding a
vanity-path-resolve short-cut and found out that this might not be sufficient
because of the etc-mapping entries. so, another workaround might be needed....
and all the workarounds could be avoided if resource-resolution wouldn't be a
performance concern. i do understand and share the concerns because of the
impact and risk associated, but it might be worth keeping in mind before we
start writing a lot of code that further increases complexity and due to the
'inconsistency' (some mapped paths are registered as auth-req but others are
not) might be prone to subtle bugs impacting authentication in sling.
> Avoid registration of auth requirements for aliases and vanity paths
> --------------------------------------------------------------------
>
> Key: SLING-9622
> URL: https://issues.apache.org/jira/browse/SLING-9622
> Project: Sling
> Issue Type: Improvement
> Components: Authentication
> Reporter: Carsten Ziegeler
> Assignee: Carsten Ziegeler
> Priority: Major
> Fix For: Auth Core 1.5.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> Right now when auth requirements are registered, they need to be registered
> for the resource path, as well as all vanity paths and potentially all
> combinations of aliases for that path. First of all, this creates potentially
> a lot of auth requirements for a single path, but as well requires that the
> registrar of the auth requirement to be aware of vanity paths and aliases and
> do the right thing and update the auth requirements whenever there are
> changes.
> We should avoid these additional registrations and processing.
> The SlingAuthenticator is currently checking the request path against the
> auth requirements. We could change this with checking the resolved path. So
> the authenticator could use a service user resolver and resolve the path and
> then check the auth requirements.
> This avoids all the extra work for the registrar of the auth requirements,
> but comes with the additional cost of a resolve call per request
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
