You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by Andreas Schaefer <sc...@me.com.INVALID> on 2019/07/31 15:47:35 UTC

Sling Authenticator issue on Sling 11

Hi

We at Peregrine CMS ran into an issue with Sling 11 and the Sling Authenticator. I adjusted the scenario to plain Sling to explain.

OOTB there is not access to /etc/clientlibs/repl/ace.js meaning when I try to access that page in a browser and are not logged in I will get a 404.

Now I add ‘-/etc/clientlibs/repl’ to the Sling Authenticator’s sling.auth.requirements and try again and I will still get a 404. This was working in Sling 9. Adding read permission to everyone on /etc/clientlibs/repl makes the file accessible.

Giving read permission for our case is fine but it seems to me that the Sling Authenticator’s sling.auth.requirements with ‘-‘ prefix is superfluous as it does not give access to a node w/o logging in. The only thing it does is to force a login with ‘+/etc/clientlibs/repl’ even if everyone has access.

Cheers - Andy

Re: Sling Authenticator issue on Sling 11

Posted by Konrad Windszus <ko...@gmx.de>.

Hi Andy, the sling.auth.requirements don’t mingle with the access rights. This configuration only influences whether the user should be redirected to the login page (in case he is not yet logged in) or not. Hope this helps 
Konrad 

> Am 31.07.2019 um 17:47 schrieb Andreas Schaefer <sc...@me.com.invalid>:
> 
> Hi
> We at Peregrine CMS ran into an issue with Sling 11 and the Sling Authenticator. I adjusted the scenario to plain Sling to explain.
> 
> OOTB there is not access to /etc/clientlibs/repl/ace.js meaning when I try to access that page in a browser and are not logged in I will get a 404.
> 
> Now I add ‘-/etc/clientlibs/repl’ to the Sling Authenticator’s sling.auth.requirements and try again and I will still get a 404. This was working in Sling 9. Adding read permission to everyone on /etc/clientlibs/repl makes the file accessible.
> 
> Giving read permission for our case is fine but it seems to me that the Sling Authenticator’s sling.auth.requirements with ‘-‘ prefix is superfluous as it does not give access to a node w/o logging in. The only thing it does is to force a login with ‘+/etc/clientlibs/repl’ even if everyone has access.
> 
> Cheers - Andy