Re: Anonymous user

[Angela Schreiber <an...@adobe.com>]

hi markus  (and including jackrabbit-dev as this doesn't really belong 
to the sling list)

>>> I just try to connect with the standard command line utility via davex
>>> to the repository.
>>>
>>> java -jar jackrabbit-standalone-2.3.1-SNAPSHOT.jar --cli
>>> http://localhost:8080/server
>>>
>>> With the enabled anonymous user everything is fine and I can
>>> logout/login with admin.
>>> With the anonymous user disabled I still can login but I can not do
>>> any writes as the davex layer couldn't properly detect the
>>> capabilities of the repository.
>>
>> IIUC this is because although there was a change in Jackrabbit
>> (https://issues.apache.org/jira/browse/JCR-3076) to handle the case
>> when the repository descriptors weren't available, it handles only 401
>> or 407 error codes. I haven't checked Felix's most recent changes, but
>> last I checked, it resulted in a 403 error code.
>
> Prior to JCR-3076 it was not even possible to connect to a repository
> if it was protected by the sling authenticator (e.g. by a custom login
> page).
> The patch solves the "detection" of the repository.
>
> The problem with the descriptors is mentioned by Jukka:
> "A more complete fix would also modify the webdav server to always
> allow repository descriptor report requests without authentication,
> but that would require non-trivial changes to the way requests are
> currently being processed in the webdav server. Doing that would allow
> clients to access repository descriptors even if repository access
> otherwise is blocked only to authenticated clients. Let's handle that
> as a possible followup issue."

if i am not mistaken we could fix that rather easily on the
client (jcr2spi) side. currently SessionImpl#isSupportedOption
assumes that the descriptors have been successfully loaded.

i would suggest that we change that code such that it only evaluates
the descriptor if the descriptor if present and otherwise returns true.
in the latter case the fact that a given SPI implementation does not
support a given feature will only be detected upon passing the
call for processing to the SPI. this is pretty straight forward for
all the workspace operations and maybe a bit inconvenient for 
Session#save. but most probably that would solve your problem.

what do you think?
angela


>
>>
>>>
>>>>>
>>>>> However I have a customer requirement that is: Nobody should be able
>>>>> to login in the web UI with anonymous/anonymous.
>>>>
>>>> Agreed.
>>>>
>>>>> And AFAIK that can only be achieved by disabling the anonymous user.
>>>>> Or am I wrong? Is there another way to forbid login of the anonymous
>>>>> user.
>>>>
>>>> Well, with this setting we can prevent requests without credentials to pass by the Sling Authenticator. But we cannot prevent someone coming with the anonymous credentials from logging in. This has to be configured in the repository IIUIC.
>>>
>>> Oh sorry. With "disabling the anonymous user" I do not mean the flag
>>> on the authentication service but using the usermanager to disable the
>>> user in the repository. That is what I do and what prevents the davex
>>> servlet from working properly.
>>>
>>> That's because the request for the repository descriptors has no
>>> credentials included. So the anonymous user is used to fetch the
>>> descriptors. If this user is disabled,
>>> it is no longer possible to return a meaningful result. However having
>>> the anonymous user enabled also allows everybody to login as
>>> anoymous/anoymous.
>>>
>>> The original jackrabbit davex servlet has the
>>> init.missing-auth-mapping parameter to specify another user that can
>>> be used in case no credentials are provided. However that does not
>>> work with the sling authentication in place
>>> (https://issues.apache.org/jira/browse/SLING-2256)
>>>
>>> Regards,
>>>   Markus
>>>
>>>
>>>
>>>
>>>>
>>>> Regards
>>>> Felix
>>>>
>>>>>
>>>>> Thanks,
>>>>> Markus
>>>>
>>>>
>>>
>>

Re: Anonymous user

[Markus Joschko <ma...@gmail.com>]

Hi all,
just as a follow up on this issue:  With the updated descriptor
evaluation (JCR-3143) I have no issues any longer with the davex
servlet and the sling authentication.

Thanks for following up on this one.

Regards,
 Markus

On Thu, Nov 10, 2011 at 10:26 AM, Markus Joschko
<ma...@gmail.com> wrote:
> Hi Angela,
> seems fine to me. All my headaches are caused by request from the
> client where I can not pass credentials.
> If this is skipped, I am fine.
>
> Regards,
>  Markus
>
> On Thu, Nov 10, 2011 at 9:03 AM, Angela Schreiber <an...@adobe.com> wrote:
>> hi markus  (and including jackrabbit-dev as this doesn't really belong to
>> the sling list)
>>
>>>>> I just try to connect with the standard command line utility via davex
>>>>> to the repository.
>>>>>
>>>>> java -jar jackrabbit-standalone-2.3.1-SNAPSHOT.jar --cli
>>>>> http://localhost:8080/server
>>>>>
>>>>> With the enabled anonymous user everything is fine and I can
>>>>> logout/login with admin.
>>>>> With the anonymous user disabled I still can login but I can not do
>>>>> any writes as the davex layer couldn't properly detect the
>>>>> capabilities of the repository.
>>>>
>>>> IIUC this is because although there was a change in Jackrabbit
>>>> (https://issues.apache.org/jira/browse/JCR-3076) to handle the case
>>>> when the repository descriptors weren't available, it handles only 401
>>>> or 407 error codes. I haven't checked Felix's most recent changes, but
>>>> last I checked, it resulted in a 403 error code.
>>>
>>> Prior to JCR-3076 it was not even possible to connect to a repository
>>> if it was protected by the sling authenticator (e.g. by a custom login
>>> page).
>>> The patch solves the "detection" of the repository.
>>>
>>> The problem with the descriptors is mentioned by Jukka:
>>> "A more complete fix would also modify the webdav server to always
>>> allow repository descriptor report requests without authentication,
>>> but that would require non-trivial changes to the way requests are
>>> currently being processed in the webdav server. Doing that would allow
>>> clients to access repository descriptors even if repository access
>>> otherwise is blocked only to authenticated clients. Let's handle that
>>> as a possible followup issue."
>>
>> if i am not mistaken we could fix that rather easily on the
>> client (jcr2spi) side. currently SessionImpl#isSupportedOption
>> assumes that the descriptors have been successfully loaded.
>>
>> i would suggest that we change that code such that it only evaluates
>> the descriptor if the descriptor if present and otherwise returns true.
>> in the latter case the fact that a given SPI implementation does not
>> support a given feature will only be detected upon passing the
>> call for processing to the SPI. this is pretty straight forward for
>> all the workspace operations and maybe a bit inconvenient for Session#save.
>> but most probably that would solve your problem.
>>
>> what do you think?
>> angela
>>
>>
>>>
>>>>
>>>>>
>>>>>>>
>>>>>>> However I have a customer requirement that is: Nobody should be able
>>>>>>> to login in the web UI with anonymous/anonymous.
>>>>>>
>>>>>> Agreed.
>>>>>>
>>>>>>> And AFAIK that can only be achieved by disabling the anonymous user.
>>>>>>> Or am I wrong? Is there another way to forbid login of the anonymous
>>>>>>> user.
>>>>>>
>>>>>> Well, with this setting we can prevent requests without credentials to
>>>>>> pass by the Sling Authenticator. But we cannot prevent someone coming with
>>>>>> the anonymous credentials from logging in. This has to be configured in the
>>>>>> repository IIUIC.
>>>>>
>>>>> Oh sorry. With "disabling the anonymous user" I do not mean the flag
>>>>> on the authentication service but using the usermanager to disable the
>>>>> user in the repository. That is what I do and what prevents the davex
>>>>> servlet from working properly.
>>>>>
>>>>> That's because the request for the repository descriptors has no
>>>>> credentials included. So the anonymous user is used to fetch the
>>>>> descriptors. If this user is disabled,
>>>>> it is no longer possible to return a meaningful result. However having
>>>>> the anonymous user enabled also allows everybody to login as
>>>>> anoymous/anoymous.
>>>>>
>>>>> The original jackrabbit davex servlet has the
>>>>> init.missing-auth-mapping parameter to specify another user that can
>>>>> be used in case no credentials are provided. However that does not
>>>>> work with the sling authentication in place
>>>>> (https://issues.apache.org/jira/browse/SLING-2256)
>>>>>
>>>>> Regards,
>>>>>  Markus
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> Regards
>>>>>> Felix
>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Markus
>>>>>>
>>>>>>
>>>>>
>>>>
>>
>

Re: Anonymous user

[Markus Joschko <ma...@gmail.com>]

Hi all,
just as a follow up on this issue:  With the updated descriptor
evaluation (JCR-3143) I have no issues any longer with the davex
servlet and the sling authentication.

Thanks for following up on this one.

Regards,
 Markus

On Thu, Nov 10, 2011 at 10:26 AM, Markus Joschko
<ma...@gmail.com> wrote:
> Hi Angela,
> seems fine to me. All my headaches are caused by request from the
> client where I can not pass credentials.
> If this is skipped, I am fine.
>
> Regards,
>  Markus
>
> On Thu, Nov 10, 2011 at 9:03 AM, Angela Schreiber <an...@adobe.com> wrote:
>> hi markus  (and including jackrabbit-dev as this doesn't really belong to
>> the sling list)
>>
>>>>> I just try to connect with the standard command line utility via davex
>>>>> to the repository.
>>>>>
>>>>> java -jar jackrabbit-standalone-2.3.1-SNAPSHOT.jar --cli
>>>>> http://localhost:8080/server
>>>>>
>>>>> With the enabled anonymous user everything is fine and I can
>>>>> logout/login with admin.
>>>>> With the anonymous user disabled I still can login but I can not do
>>>>> any writes as the davex layer couldn't properly detect the
>>>>> capabilities of the repository.
>>>>
>>>> IIUC this is because although there was a change in Jackrabbit
>>>> (https://issues.apache.org/jira/browse/JCR-3076) to handle the case
>>>> when the repository descriptors weren't available, it handles only 401
>>>> or 407 error codes. I haven't checked Felix's most recent changes, but
>>>> last I checked, it resulted in a 403 error code.
>>>
>>> Prior to JCR-3076 it was not even possible to connect to a repository
>>> if it was protected by the sling authenticator (e.g. by a custom login
>>> page).
>>> The patch solves the "detection" of the repository.
>>>
>>> The problem with the descriptors is mentioned by Jukka:
>>> "A more complete fix would also modify the webdav server to always
>>> allow repository descriptor report requests without authentication,
>>> but that would require non-trivial changes to the way requests are
>>> currently being processed in the webdav server. Doing that would allow
>>> clients to access repository descriptors even if repository access
>>> otherwise is blocked only to authenticated clients. Let's handle that
>>> as a possible followup issue."
>>
>> if i am not mistaken we could fix that rather easily on the
>> client (jcr2spi) side. currently SessionImpl#isSupportedOption
>> assumes that the descriptors have been successfully loaded.
>>
>> i would suggest that we change that code such that it only evaluates
>> the descriptor if the descriptor if present and otherwise returns true.
>> in the latter case the fact that a given SPI implementation does not
>> support a given feature will only be detected upon passing the
>> call for processing to the SPI. this is pretty straight forward for
>> all the workspace operations and maybe a bit inconvenient for Session#save.
>> but most probably that would solve your problem.
>>
>> what do you think?
>> angela
>>
>>
>>>
>>>>
>>>>>
>>>>>>>
>>>>>>> However I have a customer requirement that is: Nobody should be able
>>>>>>> to login in the web UI with anonymous/anonymous.
>>>>>>
>>>>>> Agreed.
>>>>>>
>>>>>>> And AFAIK that can only be achieved by disabling the anonymous user.
>>>>>>> Or am I wrong? Is there another way to forbid login of the anonymous
>>>>>>> user.
>>>>>>
>>>>>> Well, with this setting we can prevent requests without credentials to
>>>>>> pass by the Sling Authenticator. But we cannot prevent someone coming with
>>>>>> the anonymous credentials from logging in. This has to be configured in the
>>>>>> repository IIUIC.
>>>>>
>>>>> Oh sorry. With "disabling the anonymous user" I do not mean the flag
>>>>> on the authentication service but using the usermanager to disable the
>>>>> user in the repository. That is what I do and what prevents the davex
>>>>> servlet from working properly.
>>>>>
>>>>> That's because the request for the repository descriptors has no
>>>>> credentials included. So the anonymous user is used to fetch the
>>>>> descriptors. If this user is disabled,
>>>>> it is no longer possible to return a meaningful result. However having
>>>>> the anonymous user enabled also allows everybody to login as
>>>>> anoymous/anoymous.
>>>>>
>>>>> The original jackrabbit davex servlet has the
>>>>> init.missing-auth-mapping parameter to specify another user that can
>>>>> be used in case no credentials are provided. However that does not
>>>>> work with the sling authentication in place
>>>>> (https://issues.apache.org/jira/browse/SLING-2256)
>>>>>
>>>>> Regards,
>>>>>  Markus
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> Regards
>>>>>> Felix
>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Markus
>>>>>>
>>>>>>
>>>>>
>>>>
>>
>

Re: Anonymous user

[Angela Schreiber <an...@adobe.com>]

hi markus

> seems fine to me.

ok... i will commit it right away.

> All my headaches are caused by request from the
> client where I can not pass credentials.

yes... the problem is that Repository#getDescriptors (etc...) simply
doesn't have the sessionInfo at hand and that the server side
mandates a repo-login for resources.

> If this is skipped, I am fine.

the request is not skipped but the extra assertion for the
various operations.

in other words: if you disable the anonymous user, 
Repository.getDescriptors() and the related variants will
return an empty map/null and so forth. the descriptors are
just not populated (see also the fix by jukka in JCR-3076).
but the other operations should no longer fail just because the
descriptors are missing.

angela



>
> Regards,
>   Markus
>
> On Thu, Nov 10, 2011 at 9:03 AM, Angela Schreiber<an...@adobe.com>  wrote:
>> hi markus  (and including jackrabbit-dev as this doesn't really belong to
>> the sling list)
>>
>>>>> I just try to connect with the standard command line utility via davex
>>>>> to the repository.
>>>>>
>>>>> java -jar jackrabbit-standalone-2.3.1-SNAPSHOT.jar --cli
>>>>> http://localhost:8080/server
>>>>>
>>>>> With the enabled anonymous user everything is fine and I can
>>>>> logout/login with admin.
>>>>> With the anonymous user disabled I still can login but I can not do
>>>>> any writes as the davex layer couldn't properly detect the
>>>>> capabilities of the repository.
>>>>
>>>> IIUC this is because although there was a change in Jackrabbit
>>>> (https://issues.apache.org/jira/browse/JCR-3076) to handle the case
>>>> when the repository descriptors weren't available, it handles only 401
>>>> or 407 error codes. I haven't checked Felix's most recent changes, but
>>>> last I checked, it resulted in a 403 error code.
>>>
>>> Prior to JCR-3076 it was not even possible to connect to a repository
>>> if it was protected by the sling authenticator (e.g. by a custom login
>>> page).
>>> The patch solves the "detection" of the repository.
>>>
>>> The problem with the descriptors is mentioned by Jukka:
>>> "A more complete fix would also modify the webdav server to always
>>> allow repository descriptor report requests without authentication,
>>> but that would require non-trivial changes to the way requests are
>>> currently being processed in the webdav server. Doing that would allow
>>> clients to access repository descriptors even if repository access
>>> otherwise is blocked only to authenticated clients. Let's handle that
>>> as a possible followup issue."
>>
>> if i am not mistaken we could fix that rather easily on the
>> client (jcr2spi) side. currently SessionImpl#isSupportedOption
>> assumes that the descriptors have been successfully loaded.
>>
>> i would suggest that we change that code such that it only evaluates
>> the descriptor if the descriptor if present and otherwise returns true.
>> in the latter case the fact that a given SPI implementation does not
>> support a given feature will only be detected upon passing the
>> call for processing to the SPI. this is pretty straight forward for
>> all the workspace operations and maybe a bit inconvenient for Session#save.
>> but most probably that would solve your problem.
>>
>> what do you think?
>> angela
>>
>>
>>>
>>>>
>>>>>
>>>>>>>
>>>>>>> However I have a customer requirement that is: Nobody should be able
>>>>>>> to login in the web UI with anonymous/anonymous.
>>>>>>
>>>>>> Agreed.
>>>>>>
>>>>>>> And AFAIK that can only be achieved by disabling the anonymous user.
>>>>>>> Or am I wrong? Is there another way to forbid login of the anonymous
>>>>>>> user.
>>>>>>
>>>>>> Well, with this setting we can prevent requests without credentials to
>>>>>> pass by the Sling Authenticator. But we cannot prevent someone coming with
>>>>>> the anonymous credentials from logging in. This has to be configured in the
>>>>>> repository IIUIC.
>>>>>
>>>>> Oh sorry. With "disabling the anonymous user" I do not mean the flag
>>>>> on the authentication service but using the usermanager to disable the
>>>>> user in the repository. That is what I do and what prevents the davex
>>>>> servlet from working properly.
>>>>>
>>>>> That's because the request for the repository descriptors has no
>>>>> credentials included. So the anonymous user is used to fetch the
>>>>> descriptors. If this user is disabled,
>>>>> it is no longer possible to return a meaningful result. However having
>>>>> the anonymous user enabled also allows everybody to login as
>>>>> anoymous/anoymous.
>>>>>
>>>>> The original jackrabbit davex servlet has the
>>>>> init.missing-auth-mapping parameter to specify another user that can
>>>>> be used in case no credentials are provided. However that does not
>>>>> work with the sling authentication in place
>>>>> (https://issues.apache.org/jira/browse/SLING-2256)
>>>>>
>>>>> Regards,
>>>>>   Markus
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> Regards
>>>>>> Felix
>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Markus
>>>>>>
>>>>>>
>>>>>
>>>>
>>

Re: Anonymous user

[Markus Joschko <ma...@gmail.com>]

Hi Angela,
seems fine to me. All my headaches are caused by request from the
client where I can not pass credentials.
If this is skipped, I am fine.

Regards,
 Markus

On Thu, Nov 10, 2011 at 9:03 AM, Angela Schreiber <an...@adobe.com> wrote:
> hi markus  (and including jackrabbit-dev as this doesn't really belong to
> the sling list)
>
>>>> I just try to connect with the standard command line utility via davex
>>>> to the repository.
>>>>
>>>> java -jar jackrabbit-standalone-2.3.1-SNAPSHOT.jar --cli
>>>> http://localhost:8080/server
>>>>
>>>> With the enabled anonymous user everything is fine and I can
>>>> logout/login with admin.
>>>> With the anonymous user disabled I still can login but I can not do
>>>> any writes as the davex layer couldn't properly detect the
>>>> capabilities of the repository.
>>>
>>> IIUC this is because although there was a change in Jackrabbit
>>> (https://issues.apache.org/jira/browse/JCR-3076) to handle the case
>>> when the repository descriptors weren't available, it handles only 401
>>> or 407 error codes. I haven't checked Felix's most recent changes, but
>>> last I checked, it resulted in a 403 error code.
>>
>> Prior to JCR-3076 it was not even possible to connect to a repository
>> if it was protected by the sling authenticator (e.g. by a custom login
>> page).
>> The patch solves the "detection" of the repository.
>>
>> The problem with the descriptors is mentioned by Jukka:
>> "A more complete fix would also modify the webdav server to always
>> allow repository descriptor report requests without authentication,
>> but that would require non-trivial changes to the way requests are
>> currently being processed in the webdav server. Doing that would allow
>> clients to access repository descriptors even if repository access
>> otherwise is blocked only to authenticated clients. Let's handle that
>> as a possible followup issue."
>
> if i am not mistaken we could fix that rather easily on the
> client (jcr2spi) side. currently SessionImpl#isSupportedOption
> assumes that the descriptors have been successfully loaded.
>
> i would suggest that we change that code such that it only evaluates
> the descriptor if the descriptor if present and otherwise returns true.
> in the latter case the fact that a given SPI implementation does not
> support a given feature will only be detected upon passing the
> call for processing to the SPI. this is pretty straight forward for
> all the workspace operations and maybe a bit inconvenient for Session#save.
> but most probably that would solve your problem.
>
> what do you think?
> angela
>
>
>>
>>>
>>>>
>>>>>>
>>>>>> However I have a customer requirement that is: Nobody should be able
>>>>>> to login in the web UI with anonymous/anonymous.
>>>>>
>>>>> Agreed.
>>>>>
>>>>>> And AFAIK that can only be achieved by disabling the anonymous user.
>>>>>> Or am I wrong? Is there another way to forbid login of the anonymous
>>>>>> user.
>>>>>
>>>>> Well, with this setting we can prevent requests without credentials to
>>>>> pass by the Sling Authenticator. But we cannot prevent someone coming with
>>>>> the anonymous credentials from logging in. This has to be configured in the
>>>>> repository IIUIC.
>>>>
>>>> Oh sorry. With "disabling the anonymous user" I do not mean the flag
>>>> on the authentication service but using the usermanager to disable the
>>>> user in the repository. That is what I do and what prevents the davex
>>>> servlet from working properly.
>>>>
>>>> That's because the request for the repository descriptors has no
>>>> credentials included. So the anonymous user is used to fetch the
>>>> descriptors. If this user is disabled,
>>>> it is no longer possible to return a meaningful result. However having
>>>> the anonymous user enabled also allows everybody to login as
>>>> anoymous/anoymous.
>>>>
>>>> The original jackrabbit davex servlet has the
>>>> init.missing-auth-mapping parameter to specify another user that can
>>>> be used in case no credentials are provided. However that does not
>>>> work with the sling authentication in place
>>>> (https://issues.apache.org/jira/browse/SLING-2256)
>>>>
>>>> Regards,
>>>>  Markus
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>> Regards
>>>>> Felix
>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> Markus
>>>>>
>>>>>
>>>>
>>>
>

Re: Anonymous user

[Markus Joschko <ma...@gmail.com>]

Hi Angela,
seems fine to me. All my headaches are caused by request from the
client where I can not pass credentials.
If this is skipped, I am fine.

Regards,
 Markus

On Thu, Nov 10, 2011 at 9:03 AM, Angela Schreiber <an...@adobe.com> wrote:
> hi markus  (and including jackrabbit-dev as this doesn't really belong to
> the sling list)
>
>>>> I just try to connect with the standard command line utility via davex
>>>> to the repository.
>>>>
>>>> java -jar jackrabbit-standalone-2.3.1-SNAPSHOT.jar --cli
>>>> http://localhost:8080/server
>>>>
>>>> With the enabled anonymous user everything is fine and I can
>>>> logout/login with admin.
>>>> With the anonymous user disabled I still can login but I can not do
>>>> any writes as the davex layer couldn't properly detect the
>>>> capabilities of the repository.
>>>
>>> IIUC this is because although there was a change in Jackrabbit
>>> (https://issues.apache.org/jira/browse/JCR-3076) to handle the case
>>> when the repository descriptors weren't available, it handles only 401
>>> or 407 error codes. I haven't checked Felix's most recent changes, but
>>> last I checked, it resulted in a 403 error code.
>>
>> Prior to JCR-3076 it was not even possible to connect to a repository
>> if it was protected by the sling authenticator (e.g. by a custom login
>> page).
>> The patch solves the "detection" of the repository.
>>
>> The problem with the descriptors is mentioned by Jukka:
>> "A more complete fix would also modify the webdav server to always
>> allow repository descriptor report requests without authentication,
>> but that would require non-trivial changes to the way requests are
>> currently being processed in the webdav server. Doing that would allow
>> clients to access repository descriptors even if repository access
>> otherwise is blocked only to authenticated clients. Let's handle that
>> as a possible followup issue."
>
> if i am not mistaken we could fix that rather easily on the
> client (jcr2spi) side. currently SessionImpl#isSupportedOption
> assumes that the descriptors have been successfully loaded.
>
> i would suggest that we change that code such that it only evaluates
> the descriptor if the descriptor if present and otherwise returns true.
> in the latter case the fact that a given SPI implementation does not
> support a given feature will only be detected upon passing the
> call for processing to the SPI. this is pretty straight forward for
> all the workspace operations and maybe a bit inconvenient for Session#save.
> but most probably that would solve your problem.
>
> what do you think?
> angela
>
>
>>
>>>
>>>>
>>>>>>
>>>>>> However I have a customer requirement that is: Nobody should be able
>>>>>> to login in the web UI with anonymous/anonymous.
>>>>>
>>>>> Agreed.
>>>>>
>>>>>> And AFAIK that can only be achieved by disabling the anonymous user.
>>>>>> Or am I wrong? Is there another way to forbid login of the anonymous
>>>>>> user.
>>>>>
>>>>> Well, with this setting we can prevent requests without credentials to
>>>>> pass by the Sling Authenticator. But we cannot prevent someone coming with
>>>>> the anonymous credentials from logging in. This has to be configured in the
>>>>> repository IIUIC.
>>>>
>>>> Oh sorry. With "disabling the anonymous user" I do not mean the flag
>>>> on the authentication service but using the usermanager to disable the
>>>> user in the repository. That is what I do and what prevents the davex
>>>> servlet from working properly.
>>>>
>>>> That's because the request for the repository descriptors has no
>>>> credentials included. So the anonymous user is used to fetch the
>>>> descriptors. If this user is disabled,
>>>> it is no longer possible to return a meaningful result. However having
>>>> the anonymous user enabled also allows everybody to login as
>>>> anoymous/anoymous.
>>>>
>>>> The original jackrabbit davex servlet has the
>>>> init.missing-auth-mapping parameter to specify another user that can
>>>> be used in case no credentials are provided. However that does not
>>>> work with the sling authentication in place
>>>> (https://issues.apache.org/jira/browse/SLING-2256)
>>>>
>>>> Regards,
>>>>  Markus
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>> Regards
>>>>> Felix
>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> Markus
>>>>>
>>>>>
>>>>
>>>
>