You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "angela (JIRA)" <ji...@apache.org> on 2016/02/04 10:23:39 UTC
[jira] [Created] (SLING-5483) Unauthenticated request:
getUserPrincipal() doesn't return null for auth.annonymous=true
angela created SLING-5483:
-----------------------------
Summary: Unauthenticated request: getUserPrincipal() doesn't return null for auth.annonymous=true
Key: SLING-5483
URL: https://issues.apache.org/jira/browse/SLING-5483
Project: Sling
Issue Type: Bug
Components: Authentication, Engine
Reporter: angela
The javadoc for {{HttpServletRequest.getUserPrincipal()}} states the following for an unauthenticated request:
{quote}
If the user has not been authenticated, the method returns <code>null</code>.
{quote}
With the request implementation present with Sling this is {{true}} as long as the property {{auth.annonymous}} is disabled in the {{Authenticator}}. Allowing for anonymous access by default in the Sling {{Authenticator}} however will change the behavior of this method to return a non-null principal (by default: 'anonymous')
Surprisingly, {{HttpServletRequest.getAuthType()}} behaves as documented in the Javadoc (basically stating the same) irrespective of the {{auth.annonymous}} flag (i.e. always returning {{null}} for un-authenticated access).
Without being too familiar with the internals of the {{HttpServletRequest}} implementation in Sling I got the impression that the reason for this issue is due to the behavior in the {{Authenticator}} and how the corresponding properties (i.e. userprincipal and authtype) are passed to the request -> setting components accordingly. Please adjust if needed.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)