[ https://issues.apache.org/jira/browse/SLING-1656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12898856#action_12898856 ]
Felix Meschberger commented on SLING-1656: ------------------------------------------ Modified the built-in HTTP Basic Authentication Handler in Rev. 985879 as follows: General assumption is that the built-in handler is only called if no other (registered) authentication handler was willing to handle the request. Thus the built-in HTTP Basic Authentication Handler is free to request credentials if the sling:authRequestLogin parameter is set to any value. We do this mainly for backwards compatibility. The primary way of asking the server to be presented with an oportunity to provide credentials is calling either the Authenticator.login method (on the server side) or to request the Login Servlet (from the client side). Likewise the built-in handler's requestCredentials method is only called if no other authentication handler was willing to request credentials. In this case the built-in handler will send back a 401/UNAUTHENTICATED response to request credentials. > Integration test AuthRequestLoginTest.testForcedLogin fails after removing > HTTP Authenticator bundle > ---------------------------------------------------------------------------------------------------- > > Key: SLING-1656 > URL: https://issues.apache.org/jira/browse/SLING-1656 > Project: Sling > Issue Type: Bug > Components: Authentication > Affects Versions: Commons Auth 1.0.0 > Reporter: Felix Meschberger > Assignee: Felix Meschberger > Fix For: Commons Auth 1.0.0 > > > After removing the HTTP Authentication Handler from the build an integration > test fails because the HTTP Basic authentication handler built into the > auth/core bundle does not request credentials. > The reason for this is, that the old HTTP Authentication Handler checked the > "sling:authRequestLogin" parameter and forced authentication by sending back > a 401 response whenever that parameter was set to any value but no (HTTP > BASIC) credentials were present in the request. > The new HTTP Basic authentication handler built into the auth/core bundle > only sends back the 401 response if the "sling:authRequestLogin" parameter is > set to either "BASIC" or "1". The idea is, that this parameter may not only > be used to request being logged in but also to select a concrete > authentication handler. > So, for backwards compatibility, the built-in HTTP Basic handler should also > send back a 401 response if the parameter is set and no other authentication > handler sent back a request for credentials before hand. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.