Hi, Am Donnerstag, den 28.02.2008, 14:52 +0100 schrieb Lars Trieloff: > If all you send is a 403, the user has no means of logging in. > Browsers only display the login box if a 401 response has been received. > > If a user is properly logged in and his privileges do not allow to > access a potion of content, 403 is the right response. But in the case > of the anonymous user that has been logged in by default without ever > giving the user the possibility to log-on, 401 would be the correct > response.
Sounds good. But this should be done by the authentication handler of sling, which is called in case a AccessControlException is thrown. > > regards, > > Lars > > P.S. is there a way to override the automatic login of anonymous per > configuration? Yes, go to the Sling Console Configuration Page and select "Authentication Filter" (yes, this is currently inappropriately named) configuration and check the box (if not already checked). Regards Felix > > On 28.02.2008, at 14:44, David Nuescheler wrote: > > > hi all, > > > > here my +1 for anonymous access by default. > > > > also prompting the user with a 401 for something that he does not > > have read access for is not an option, since in jcr if you are able > > to read > > content there is no way to tell that something exists. > > > >>> But still, the desired behavior is to ask the user for > >>> authentication if > >>> he is not authenticated and write permission is denied. > >> Your problem has nothing to do with the fact that we allow anonymous > >> access per default now. > >> Before that you could login as anonymous and would face the same > >> problems. > >> This is rather a problem of the post servlet and the permission > >> checking > >> there. Could you please open an issue? > > > > i agree with carstens assessment. > > > > i don't think though that the desired respeonse code for a > > permission denied on > > the repository level is a 401 even for "anonymous", but i think it > > should > > be a 403 error code instead. thoughts? > > > > regards, > > david > > -- > Lars Trieloff > [EMAIL PROTECTED] > http://weblogs.goshaky.com/weblogs/lars >
