You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "angela (JIRA)" <ji...@apache.org> on 2016/02/04 10:23:39 UTC

[jira] [Created] (SLING-5483) Unauthenticated request: getUserPrincipal() doesn't return null for auth.annonymous=true

angela created SLING-5483:
-----------------------------

             Summary: Unauthenticated request: getUserPrincipal() doesn't return null for auth.annonymous=true
                 Key: SLING-5483
                 URL: https://issues.apache.org/jira/browse/SLING-5483
             Project: Sling
          Issue Type: Bug
          Components: Authentication, Engine
            Reporter: angela


The javadoc for {{HttpServletRequest.getUserPrincipal()}} states the following for an unauthenticated request:

{quote}
If the user has not been authenticated, the method returns <code>null</code>.
{quote}

With the request implementation present with Sling this is {{true}} as long as the property {{auth.annonymous}} is disabled in the {{Authenticator}}. Allowing for anonymous access by default in the Sling {{Authenticator}} however will change the behavior of this method to return a non-null principal (by default: 'anonymous')

Surprisingly, {{HttpServletRequest.getAuthType()}} behaves as documented in the Javadoc (basically stating the same) irrespective of the {{auth.annonymous}} flag (i.e. always returning {{null}} for un-authenticated access).

Without being too familiar with the internals of the {{HttpServletRequest}} implementation in Sling I got the impression that the reason for this issue is due to the behavior in the {{Authenticator}} and how the corresponding properties (i.e. userprincipal and authtype) are passed to the request -> setting components accordingly. Please adjust if needed.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)