You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Carsten Ziegeler (Jira)" <ji...@apache.org> on 2020/08/05 14:13:00 UTC

[jira] [Resolved] (SLING-5483) Unauthenticated request: getUserPrincipal() doesn't return null for auth.annonymous=true

     [ https://issues.apache.org/jira/browse/SLING-5483?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Carsten Ziegeler resolved SLING-5483.
-------------------------------------
    Resolution: Fixed

Fixed in
https://github.com/apache/sling-org-apache-sling-auth-core/commit/c4f4deffe0590646562d47a7c52b4490859a74ed

> Unauthenticated request: getUserPrincipal() doesn't return null for auth.annonymous=true
> ----------------------------------------------------------------------------------------
>
>                 Key: SLING-5483
>                 URL: https://issues.apache.org/jira/browse/SLING-5483
>             Project: Sling
>          Issue Type: Bug
>          Components: Authentication, Engine
>            Reporter: Angela Schreiber
>            Assignee: Carsten Ziegeler
>            Priority: Major
>             Fix For: Auth Core 1.5.0
>
>
> The javadoc for {{HttpServletRequest.getUserPrincipal()}} states the following for an unauthenticated request:
> {quote}
> If the user has not been authenticated, the method returns <code>null</code>.
> {quote}
> With the request implementation present with Sling this is {{true}} as long as the property {{auth.annonymous}} is disabled in the {{Authenticator}}. Allowing for anonymous access by default in the Sling {{Authenticator}} however will change the behavior of this method to return a non-null principal (by default: 'anonymous')
> Surprisingly, {{HttpServletRequest.getAuthType()}} behaves as documented in the Javadoc (basically stating the same) irrespective of the {{auth.annonymous}} flag (i.e. always returning {{null}} for un-authenticated access).
> Without being too familiar with the internals of the {{HttpServletRequest}} implementation in Sling I got the impression that the reason for this issue is due to the behavior in the {{Authenticator}} and how the corresponding properties (i.e. userprincipal and authtype) are passed to the request -> setting components accordingly. Please adjust if needed.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)