You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by fm...@apache.org on 2010/10/12 09:09:16 UTC

svn commit: r1021641 - in /sling/trunk: bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/ launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/auth/

Author: fmeschbe
Date: Tue Oct 12 07:09:15 2010
New Revision: 1021641

URL: http://svn.apache.org/viewvc?rev=1021641&view=rev
Log:
SLING-1831 Try to send 401/UNAUTHORIZED instead of 403/FORBIDDEN if a loop is detected

Modified:
    sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
    sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/auth/AuthenticationResponseCodeTest.java

Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java?rev=1021641&r1=1021640&r2=1021641&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java Tue Oct 12 07:09:15 2010
@@ -940,9 +940,10 @@ public class SlingAuthenticator implemen
             HttpServletResponse response) {
 
         if (!AbstractAuthenticationHandler.isValidateRequest(request)) {
-            if (isBrowserRequest(request)) {
 
-                if (!isAjaxRequest(request) && !isLoginLoop(request)) {
+            if (isBrowserRequest(request) && !isLoginLoop(request)) {
+
+                if (!isAjaxRequest(request)) {
                     try {
 
                         login(request, response);
@@ -972,6 +973,8 @@ public class SlingAuthenticator implemen
                 // enabled for preemptive credential support, we just request
                 // HTTP Basic credentials. Otherwise (HTTP Basic is fully
                 // switched off, 403 is sent back)
+                // we also do this in case of a redirect loop upon login
+                // (see SLING-1831 for details)
                 if (httpBasicHandler != null) {
                     httpBasicHandler.sendUnauthorized(response);
                     return;

Modified: sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/auth/AuthenticationResponseCodeTest.java
URL: http://svn.apache.org/viewvc/sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/auth/AuthenticationResponseCodeTest.java?rev=1021641&r1=1021640&r2=1021641&view=diff
==============================================================================
--- sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/auth/AuthenticationResponseCodeTest.java (original)
+++ sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/auth/AuthenticationResponseCodeTest.java Tue Oct 12 07:09:15 2010
@@ -112,8 +112,7 @@ public class AuthenticationResponseCodeT
         get.setRequestHeader("Referer", requestUrl);
         get.setRequestHeader("Accept", "text/*"); // simulate a browser request
         int status = httpClient.executeMethod(get);
-        assertEquals(HttpServletResponse.SC_FORBIDDEN, status);
-        assertXReason(get);
+        assertEquals(HttpServletResponse.SC_UNAUTHORIZED, status);
     }
 
     public void testXRequestedWithIncorrectCredentials() throws Exception {