[jira] Closed: (SLING-4) AuthenticationFilter only logs RepositoryException, without rethrowing it

["Felix Meschberger (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/SLING-4?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Felix Meschberger closed SLING-4.
---------------------------------

    Resolution: Fixed

Implemented the proposed behaviour in Rev. 613168.

> AuthenticationFilter only logs RepositoryException, without rethrowing it
> -------------------------------------------------------------------------
>
>                 Key: SLING-4
>                 URL: https://issues.apache.org/jira/browse/SLING-4
>             Project: Sling
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Felix Meschberger
>
> Currently org.apache.sling.core.impl.auth.AuthenticationFilter eats some exceptions, or more precisely only logs them, without rethrowing them.
> For example:
>   } catch (RepositoryException re) {
>     log.error("Unable to authenticate: {}", re.getMessage());
>   }
> At the application level this means that, if a Repository is not available, the user's login is refused as if a wrong password had been entered, without any mention of the Repository problem at the user level.
> I'm not sure about all the implications, but it might be good for AuthenticationFilter to rethrow more exceptions, to differentiate between pure authentication problems and other problems.
> I am not sure, whether we want to throw implementation details such as a non-available repository into his face (remember those great sites, which present
> MS ODBC messages to the innocent user :-) )
> On the other hand something like an javax.servlet.UnavailableException might be usefull - though this exception is intended to be thrown by the init method (IIRC). Only logging the message is not usefull either.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.