[ https://issues.apache.org/jira/browse/SLING-9622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17181857#comment-17181857 ]
Angela Schreiber commented on SLING-9622: ----------------------------------------- [~rombert], from my distant pov, i start to get the impression that we keep working around a pretty fundamental issue within the resource resolution namely {{ResourceResolver.resolve}} being (potentially) expensive because of a variety of mapping features (alias, vanity-path and the etc-mapping entries). as far as i understand so far these mapping features seem to overlap in their functionality. as a first workaround, we started registering alias-paths and vanity-paths as authentication requirements and realized that this doesn't work for nested vanity paths. for those nested vanity-paths we considered adding a vanity-path-resolve short-cut and found out that this might not be sufficient because of the etc-mapping entries. so, another workaround might be needed.... and all the workarounds could be avoided if resource-resolution wouldn't be a performance concern. i do understand and share the concerns because of the impact and risk associated, but it might be worth keeping in mind before we start writing a lot of code that further increases complexity and due to the 'inconsistency' (some mapped paths are registered as auth-req but others are not) might be prone to subtle bugs impacting authentication in sling. > Avoid registration of auth requirements for aliases and vanity paths > -------------------------------------------------------------------- > > Key: SLING-9622 > URL: https://issues.apache.org/jira/browse/SLING-9622 > Project: Sling > Issue Type: Improvement > Components: Authentication > Reporter: Carsten Ziegeler > Assignee: Carsten Ziegeler > Priority: Major > Fix For: Auth Core 1.5.0 > > Time Spent: 1.5h > Remaining Estimate: 0h > > Right now when auth requirements are registered, they need to be registered > for the resource path, as well as all vanity paths and potentially all > combinations of aliases for that path. First of all, this creates potentially > a lot of auth requirements for a single path, but as well requires that the > registrar of the auth requirement to be aware of vanity paths and aliases and > do the right thing and update the auth requirements whenever there are > changes. > We should avoid these additional registrations and processing. > The SlingAuthenticator is currently checking the request path against the > auth requirements. We could change this with checking the resolved path. So > the authenticator could use a service user resolver and resolve the path and > then check the auth requirements. > This avoids all the extra work for the registrar of the auth requirements, > but comes with the additional cost of a resolve call per request -- This message was sent by Atlassian Jira (v8.3.4#803005)