You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Mike Müller (JIRA)" <ji...@apache.org> on 2010/09/13 10:11:33 UTC
[jira] Created: (SLING-1765) Problems with authentication if basic
auth was used before opening Sling Explorer
Problems with authentication if basic auth was used before opening Sling Explorer
---------------------------------------------------------------------------------
Key: SLING-1765
URL: https://issues.apache.org/jira/browse/SLING-1765
Project: Sling
Issue Type: Bug
Reporter: Mike Müller
Priority: Minor
Fix For: Sling Explorer 1.0.0
If you login to /system/console and then go back to /.explorer.html the explorer shows that you're logged in, which is not the case.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (SLING-1765) Problems with authentication if basic
auth was used before opening Sling Explorer
Posted by "Mike Müller (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mike Müller resolved SLING-1765.
--------------------------------
Resolution: Not A Problem
shutting off HTTP Basic Auth will solve the problem, see SLING-1817
> Problems with authentication if basic auth was used before opening Sling Explorer
> ---------------------------------------------------------------------------------
>
> Key: SLING-1765
> URL: https://issues.apache.org/jira/browse/SLING-1765
> Project: Sling
> Issue Type: Bug
> Reporter: Mike Müller
> Assignee: Felix Meschberger
> Priority: Minor
> Fix For: Sling Explorer 1.0.0
>
>
> If you login to /system/console and then go back to /.explorer.html the explorer shows that you're logged in, which is not the case.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (SLING-1765) Problems with authentication if basic
auth was used before opening Sling Explorer
Posted by "Mike Müller (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mike Müller closed SLING-1765.
------------------------------
> Problems with authentication if basic auth was used before opening Sling Explorer
> ---------------------------------------------------------------------------------
>
> Key: SLING-1765
> URL: https://issues.apache.org/jira/browse/SLING-1765
> Project: Sling
> Issue Type: Bug
> Reporter: Mike Müller
> Assignee: Felix Meschberger
> Priority: Minor
> Fix For: Sling Explorer 1.0.0
>
>
> If you login to /system/console and then go back to /.explorer.html the explorer shows that you're logged in, which is not the case.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1765) Problems with authentication if
basic auth was used before opening Sling Explorer
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12908788#action_12908788 ]
Felix Meschberger commented on SLING-1765:
------------------------------------------
I think we are hitting two issues;
(1) It is not readily expected to be logged in to the "Sling Application" if you have been logged into the Web Console
(2) The explorer declaring the user logged in but not granting rights
I think we can "solve" the first issue by switching HTTP Basic Authentication completely off, instead of leaving it "on just in case credentials are presented".
I will have to see what's exactly going on for #2, though.
Thus taking over thie issue for further inspection.
> Problems with authentication if basic auth was used before opening Sling Explorer
> ---------------------------------------------------------------------------------
>
> Key: SLING-1765
> URL: https://issues.apache.org/jira/browse/SLING-1765
> Project: Sling
> Issue Type: Bug
> Reporter: Mike Müller
> Assignee: Felix Meschberger
> Priority: Minor
> Fix For: Sling Explorer 1.0.0
>
>
> If you login to /system/console and then go back to /.explorer.html the explorer shows that you're logged in, which is not the case.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1765) Problems with authentication if
basic auth was used before opening Sling Explorer
Posted by "Mike Müller (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12908780#action_12908780 ]
Mike Müller commented on SLING-1765:
------------------------------------
@Justin: not quite right: you login /system/console (basic auth) go back to .explorer, the Sling Explorer says you are logged in, but you have no rights to do anything than read... after logout it remains the same.
> Problems with authentication if basic auth was used before opening Sling Explorer
> ---------------------------------------------------------------------------------
>
> Key: SLING-1765
> URL: https://issues.apache.org/jira/browse/SLING-1765
> Project: Sling
> Issue Type: Bug
> Reporter: Mike Müller
> Priority: Minor
> Fix For: Sling Explorer 1.0.0
>
>
> If you login to /system/console and then go back to /.explorer.html the explorer shows that you're logged in, which is not the case.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1765) Problems with authentication if
basic auth was used before opening Sling Explorer
Posted by "Mike Müller (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12908775#action_12908775 ]
Mike Müller commented on SLING-1765:
------------------------------------
In this case switching off HTTP Basic auth should really considered as default.
What confuses me a bit is that, even if I can't see credentials be existent in the HTTP header (after clicking logout), Sling Explorer still shows admin as logged in. But either before nor after logout the admin seems to be really logged in into JCR.
> Problems with authentication if basic auth was used before opening Sling Explorer
> ---------------------------------------------------------------------------------
>
> Key: SLING-1765
> URL: https://issues.apache.org/jira/browse/SLING-1765
> Project: Sling
> Issue Type: Bug
> Reporter: Mike Müller
> Priority: Minor
> Fix For: Sling Explorer 1.0.0
>
>
> If you login to /system/console and then go back to /.explorer.html the explorer shows that you're logged in, which is not the case.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1765) Problems with authentication if
basic auth was used before opening Sling Explorer
Posted by "Justin Edelson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12908776#action_12908776 ]
Justin Edelson commented on SLING-1765:
---------------------------------------
I'm confused... how is this a bug? You authenticated and the explorer says you are logged in. That sounds like a good thing.
> Problems with authentication if basic auth was used before opening Sling Explorer
> ---------------------------------------------------------------------------------
>
> Key: SLING-1765
> URL: https://issues.apache.org/jira/browse/SLING-1765
> Project: Sling
> Issue Type: Bug
> Reporter: Mike Müller
> Priority: Minor
> Fix For: Sling Explorer 1.0.0
>
>
> If you login to /system/console and then go back to /.explorer.html the explorer shows that you're logged in, which is not the case.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1765) Problems with authentication if
basic auth was used before opening Sling Explorer
Posted by "Justin Edelson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12908795#action_12908795 ]
Justin Edelson commented on SLING-1765:
---------------------------------------
@Mike - thanks. I see the issue now.
I guess removing http auth is the only way to deal with this, but I see (1) as a feature, not a bug :)
> Problems with authentication if basic auth was used before opening Sling Explorer
> ---------------------------------------------------------------------------------
>
> Key: SLING-1765
> URL: https://issues.apache.org/jira/browse/SLING-1765
> Project: Sling
> Issue Type: Bug
> Reporter: Mike Müller
> Assignee: Felix Meschberger
> Priority: Minor
> Fix For: Sling Explorer 1.0.0
>
>
> If you login to /system/console and then go back to /.explorer.html the explorer shows that you're logged in, which is not the case.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1765) Problems with authentication if
basic auth was used before opening Sling Explorer
Posted by "Mike Müller (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12917682#action_12917682 ]
Mike Müller commented on SLING-1765:
------------------------------------
I mark this issue as resolved and created a new issue to switch HTTP Basic Authentication completely off --> SLING-1817
> Problems with authentication if basic auth was used before opening Sling Explorer
> ---------------------------------------------------------------------------------
>
> Key: SLING-1765
> URL: https://issues.apache.org/jira/browse/SLING-1765
> Project: Sling
> Issue Type: Bug
> Reporter: Mike Müller
> Assignee: Felix Meschberger
> Priority: Minor
> Fix For: Sling Explorer 1.0.0
>
>
> If you login to /system/console and then go back to /.explorer.html the explorer shows that you're logged in, which is not the case.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1765) Problems with authentication if
basic auth was used before opening Sling Explorer
Posted by "Mike Müller (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12914158#action_12914158 ]
Mike Müller commented on SLING-1765:
------------------------------------
What's the state of this issue, is HTTP Basic Authentication now switched completely off by default?
> Problems with authentication if basic auth was used before opening Sling Explorer
> ---------------------------------------------------------------------------------
>
> Key: SLING-1765
> URL: https://issues.apache.org/jira/browse/SLING-1765
> Project: Sling
> Issue Type: Bug
> Reporter: Mike Müller
> Assignee: Felix Meschberger
> Priority: Minor
> Fix For: Sling Explorer 1.0.0
>
>
> If you login to /system/console and then go back to /.explorer.html the explorer shows that you're logged in, which is not the case.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1765) Problems with authentication if
basic auth was used before opening Sling Explorer
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12908667#action_12908667 ]
Felix Meschberger commented on SLING-1765:
------------------------------------------
Well, it may actually really be the case: The browser sends the credentials preemptively to Sling which checks the request against all authentication handlers falling back to the HTTP Basic Authentication handler by default accepting preemptively sent HTTP Basic credentials.
As a result the request is actually authenticated, when it should really be ...
I cannot imagine a solution right now, but the workaround certainly is to switch HTTP Basic authentication off completely -- or use an other browser which does not preemptively send credentials, e.g. Chrome or Safari.
As it stands, this looks like "works as designed" ;-) (Agreed, it is not 100% expected, though)
How about -- by default -- switch off HTTP Basic authentication completely; thus not even support preemptive authentication out of the box ?
> Problems with authentication if basic auth was used before opening Sling Explorer
> ---------------------------------------------------------------------------------
>
> Key: SLING-1765
> URL: https://issues.apache.org/jira/browse/SLING-1765
> Project: Sling
> Issue Type: Bug
> Reporter: Mike Müller
> Priority: Minor
> Fix For: Sling Explorer 1.0.0
>
>
> If you login to /system/console and then go back to /.explorer.html the explorer shows that you're logged in, which is not the case.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1765) Problems with authentication if
basic auth was used before opening Sling Explorer
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12908800#action_12908800 ]
Felix Meschberger commented on SLING-1765:
------------------------------------------
@Clemens: no, the explorer should not be tied too much into the form authentication and just as well work together with HTTP Basic authentication (and OpenID or whatever). [Though I really like the login popup at the top of the screen, which IMHO is ok to tie into form auth handler]
> Problems with authentication if basic auth was used before opening Sling Explorer
> ---------------------------------------------------------------------------------
>
> Key: SLING-1765
> URL: https://issues.apache.org/jira/browse/SLING-1765
> Project: Sling
> Issue Type: Bug
> Reporter: Mike Müller
> Assignee: Felix Meschberger
> Priority: Minor
> Fix For: Sling Explorer 1.0.0
>
>
> If you login to /system/console and then go back to /.explorer.html the explorer shows that you're logged in, which is not the case.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (SLING-1765) Problems with authentication if basic
auth was used before opening Sling Explorer
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger reassigned SLING-1765:
----------------------------------------
Assignee: Felix Meschberger
> Problems with authentication if basic auth was used before opening Sling Explorer
> ---------------------------------------------------------------------------------
>
> Key: SLING-1765
> URL: https://issues.apache.org/jira/browse/SLING-1765
> Project: Sling
> Issue Type: Bug
> Reporter: Mike Müller
> Assignee: Felix Meschberger
> Priority: Minor
> Fix For: Sling Explorer 1.0.0
>
>
> If you login to /system/console and then go back to /.explorer.html the explorer shows that you're logged in, which is not the case.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1765) Problems with authentication if
basic auth was used before opening Sling Explorer
Posted by "Clemens Wyss (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12908799#action_12908799 ]
Clemens Wyss commented on SLING-1765:
-------------------------------------
wouldn't the "clean" solution be for the explorer to not only check if authType is set, but that authType == 'Form' ?
> Problems with authentication if basic auth was used before opening Sling Explorer
> ---------------------------------------------------------------------------------
>
> Key: SLING-1765
> URL: https://issues.apache.org/jira/browse/SLING-1765
> Project: Sling
> Issue Type: Bug
> Reporter: Mike Müller
> Assignee: Felix Meschberger
> Priority: Minor
> Fix For: Sling Explorer 1.0.0
>
>
> If you login to /system/console and then go back to /.explorer.html the explorer shows that you're logged in, which is not the case.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.