Hi all,
I observed a strange behavior with the authorization header.
I provide a sling:authRequestLogin parameter on some protected resource, e.g.
/a/b.html?sling:authRequestLogin
If I provide a link to, let's say, /a/b/c.html, than this works nicely, i.e.
the HTTP authorization header is present on that resource.
However calling, let's say, /a/c.html, the authorization header disappears.
And worse, if i link from there back to /a/b/c.html, the credentials (that
is, the Auth header) remains lost.
This does not make sense to me, as the security realm is "Sling
(Development)":
WWW-Authenticate Basic realm="Sling (Development)"
So, imho, an authorization header should be applicable for any repository
node/resource. But it looks like it's applicable only to the node where the
authentication took place and its children.
Can somebody shed light?
Thanks,
Juerg
