[ https://issues.apache.org/jira/browse/SLING-1400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12914628#action_12914628 ]
Felix Meschberger edited comment on SLING-1400 at 9/24/10 4:10 PM: ------------------------------------------------------------------- Implemented an alternate solution derived from http://codereview.appspot.com/2252043 in Rev. 1001056 The new method isBrowserRequest called from doLogin checks for the presence of the Accept header. If the header is present a browser request is assumed. The reason for only checking the browser is, that some AJAX requests in fact just send */* for the value of the header, which of course would fail the check for text/html. If the request is assume to not be a browser request and the HTTP AuthenticationHandler is enabled at least for preemptive operation (or fully enabled) a 401/UNAUTHORIZED status is returned. If the HTTP Authentication Handler is disabled, 403/FORBIDDEN response is returned assuming simple authentication is not possible for this non-browser client. If 403 is returned the X-Reason header is set to a reason for returning 403 instead of 401. was (Author: fmeschbe): Implemented an alternate solution derived from http://codereview.appspot.com/2252043 in Rev. 1001056 The new method isBrowserRequest called from doLogin checks for the presence of the Accept header. If the header is present a browser request is assumed. The reason for only checking the browser is, that some AJAX requests in fact just send */* for the value of the header, which of course would fail the check for text/html. If the request is assume to not be a browser request and the HTTP AuthenticationHandler is enabled at least for preemptive operation (or fully enabled) a 401/UNAUTHORIZED status is returned. If the HTTP Authentication Handler is disabled, 403/FORBIDDEN response is returned assuming simple authentication is not possible for this non-browser client. > OPTIONS request on / returns login form if "Allow Anonymous Access" set to > false > -------------------------------------------------------------------------------- > > Key: SLING-1400 > URL: https://issues.apache.org/jira/browse/SLING-1400 > Project: Sling > Issue Type: Bug > Components: Authentication > Reporter: Bertrand Delacretaz > Priority: Minor > > If "Allow Anonymous Access" is true (that's the default default) in > theorg.apache.sling.engine.impl.auth.SlingAuthenticator config, curl -X > OPTIONS http://localhost:8888/ correctly returns a 401 status. > If the setting is false, the same request returns 200 and the login form. > Not sure if that's really a problem, but I thought I'd report it as it caused > the WebDAV mount on / to become unusable with samples that recommend setting > that parameter to false. I'll change the samples to use > sling:authRequestLogin=true instead. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.