sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Konrad Windszus (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SLING-6053) SlingAuthenticator identifies wrong sibling node with AuthenticationInfo
Date Mon, 27 Feb 2017 11:06:45 GMT

    [ https://issues.apache.org/jira/browse/SLING-6053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15885587#comment-15885587
] 

Konrad Windszus commented on SLING-6053:
----------------------------------------

[~asanso] The patch is only a heuristic and does not work for all cases. Just imagine the
following use case
{{resource1}} requires authentication
{{resource1.test2}} does not require authentication
In that case the latter would also be covered by your logic in {{isNodeRequiresAuthHandler}}
but in fact it should not.
I am not sure, whether that behavior is better or worse then before. (Better because it will
for most of the cases work as expected, worse, because it is even harder to document the behaviour
for resource names containing "." itself).

The problem is that with just having the request URL String you cannot tell, what is a selector
and what belongs to the resource's name.

> SlingAuthenticator identifies wrong sibling node with AuthenticationInfo
> ------------------------------------------------------------------------
>
>                 Key: SLING-6053
>                 URL: https://issues.apache.org/jira/browse/SLING-6053
>             Project: Sling
>          Issue Type: Bug
>          Components: Authentication
>    Affects Versions: Auth Core 1.3.18
>            Reporter: Miklos Csere
>            Assignee: Antonio Sanso
>            Priority: Blocker
>         Attachments: SLING-6053-patch.txt
>
>
> Issue can be reproduced with the following steps:
>     Create node "/page" 
>     Create sibling node "/page1"
>     Define a protection handler for node: "/page"
> Expected: 
>             "/page" has AuthenticationInfo
>              "/page1" does not have AuthenticationInfo (has anonymous)
>   
> Actual:  "/page" & "page1" are both having AuthenticationInfo
>      
> Reason: SlingAuthenticator.java line 726:  if (path.startsWith(holder.path)) Warning:
The same check is used in 4 more places in code with similar behaviour.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message