You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Antonio Sanso (JIRA)" <ji...@apache.org> on 2011/07/27 09:46:09 UTC
[jira] [Closed] (SLING-2084) StreamRendererServlet ignores
authentication on redirect
[ https://issues.apache.org/jira/browse/SLING-2084?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antonio Sanso closed SLING-2084.
--------------------------------
closing issue as for comment above
> StreamRendererServlet ignores authentication on redirect
> --------------------------------------------------------
>
> Key: SLING-2084
> URL: https://issues.apache.org/jira/browse/SLING-2084
> Project: Sling
> Issue Type: Bug
> Components: Authentication, Servlets
> Affects Versions: Servlets Get 2.1.2
> Reporter: Antonio Sanso
> Priority: Minor
> Attachments: TestUnstructuredNode.java
>
>
> Use case:
> - create a nt:unstructured node e.g. /content/a.xml
> - execute the java class in attachment (TestUnstructuredNode.java). Output from the class ==> status 404
> log excerpt
> 17.05.2011 14:06:42.391 *DEBUG* [127.0.0.1 [1305634002391] GET /content/a.xml HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleSecurity: Trying to get a session for admin
> 17.05.2011 14:06:42.393 *DEBUG* [127.0.0.1 [1305634002391] GET /content/a.xml HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator setAttributes: ResourceResolver stored as request attribute: user=admin
> 17.05.2011 14:06:42.404 *DEBUG* [127.0.0.1 [1305634002404] GET /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.HttpBasicAuthenticationHandler forceAuthentication: Not forcing authentication because request parameter sling:authRequestLogin is not set
> 17.05.2011 14:06:42.404 *DEBUG* [127.0.0.1 [1305634002404] GET /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator getAuthenticationInfo: no handler could extract credentials
> 17.05.2011 14:06:42.404 *DEBUG* [127.0.0.1 [1305634002404] GET /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleSecurity: No credentials in the request, anonymous
> 17.05.2011 14:06:42.406 *DEBUG* [127.0.0.1 [1305634002404] GET /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator setAttributes: ResourceResolver stored as request attribute: user=anonymous
> - Disable/Uncheck "Allow Anonymous Access" in the org.apache.sling.engine.impl.auth.SlingAuthenticator configuration
> - execute the java class in attachment. Output from the class ==> May 17, 2011 2:09:30 PM org.apache.commons.httpclient.auth.AuthChallengeProcessor selectAuthScheme
> INFO: basic authentication scheme selected
> Status 200
> log excerpt
> 17.05.2011 14:09:30.570 *DEBUG* [127.0.0.1 [1305634170570] GET /content/a.xml HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleSecurity: Trying to get a session for admin
> 17.05.2011 14:09:30.572 *DEBUG* [127.0.0.1 [1305634170570] GET /content/a.xml HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator setAttributes: ResourceResolver stored as request attribute: user=admin
> 17.05.2011 14:09:30.583 *DEBUG* [127.0.0.1 [1305634170582] GET /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.HttpBasicAuthenticationHandler forceAuthentication: Not forcing authentication because request parameter sling:authRequestLogin is not set
> 17.05.2011 14:09:30.583 *DEBUG* [127.0.0.1 [1305634170582] GET /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator getAuthenticationInfo: no handler could extract credentials
> 17.05.2011 14:09:30.583 *DEBUG* [127.0.0.1 [1305634170582] GET /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleSecurity: No credentials in the request, anonymous
> 17.05.2011 14:09:30.583 *INFO* [127.0.0.1 [1305634170582] GET /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousSession: Anonymous access not allowed by configuration - requesting credentials
> 17.05.2011 14:09:30.678 *DEBUG* [127.0.0.1 [1305634170677] GET /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator handleSecurity: Trying to get a session for admin
> 17.05.2011 14:09:30.680 *DEBUG* [127.0.0.1 [1305634170677] GET /content/a.xml/ HTTP/1.1] org.apache.sling.auth.core.impl.SlingAuthenticator setAttributes: ResourceResolver stored as request attribute: user=admin
> The behavior is clearly inconsistent. The nt:unstructured node is rendered from the StreamRendererServlet class that does a redirect (not forcing authentication) and inducing the second request to use the anonymous user.
> Adding ?sling:authRequestLogin=1 parameter to the StreamRendererServlet redirect would solve the issue but it is not a clean solution (I am looking for a better one and I might attach a patch file).
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira