svn commit: r1214791 - /sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java

[fm...@apache.org]

Author: fmeschbe
Date: Thu Dec 15 14:46:27 2011
New Revision: 1214791

URL: http://svn.apache.org/viewvc?rev=1214791&view=rev
Log:
SLING-2329 Fix loop prevention
  - credential validations must not be replied to with a 401 (403 is expected here)

Modified:
    sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java

Modified: sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java?rev=1214791&r1=1214790&r2=1214791&view=diff
==============================================================================
--- sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java (original)
+++ sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/impl/HttpBasicAuthenticationHandler.java Thu Dec 15 14:46:27 2011
@@ -169,11 +169,18 @@ class HttpBasicAuthenticationHandler ext
      * The assumption of this method unconditionally sending back the
      * 401/UNAUTHORIZED response is that this method here is only called if the
      * request actually provided invalid HTTP Basic credentials.
+     * <p>
+     * If the request is a
+     * {@link AuthUtil#isValidateRequest(HttpServletRequest) validation request}
+     * this method actually does nothing to allow for the expected 403/FORBIDDEN
+     * response to be sent.
      */
     @Override
     public void authenticationFailed(HttpServletRequest request, HttpServletResponse response,
             AuthenticationInfo authInfo) {
-        sendUnauthorized(response);
+        if (!AuthUtil.isValidateRequest(request)) {
+            sendUnauthorized(response);
+        }
     }
 
     /**