Hi all,
I am trying to tackle issues SLING-1400 [1] and SLING-1745 [2].
The first issue is about WebDAV clients connecting to Sling on root with
an OPTIONS request and not being happy with a redirect response, obviously.
The second issue is about client side JavaScript application framework
which may send XHR requests to Sling, mainly POSTs destined for the POST
Servlet but probably also other stuff. Such framework are also generally
not very happy getting redirect responses back.
Solutions for both problems would probably have to be implemented in the
SlingAuthenticator.doLogin method, which is called after an unsuccessful
login or after a first request noticing that authentication is required.
So here are the options I came up with:
* Send back a 401 response, at least for the OPTIONS request
to trigger a regular HTTP Basic Authentication
* Send back a 403 response, to indicate that access is currently
forbidden (we discussed this option earlier [3]).
My questions:
- Would it be ok to special case the OPTIONS request ?
- Shall we generally only send back a generic credentials request
(may be a redirect or a form directly or whatever) if the
original request was GET and send back either 401 or 403 for
all non-GET requests, including HEAD ?
- Is it a good idea to send back 401 generally ?
- Should we only send back 401 if HTTP Basic authentication is
at enabled fully or enabled preemptively and send back 403 if
HTTP Basic authentication is switched off completely ?
- Am I completely off track ?
WDYT ?
Regards
Felix
[1] https://issues.apache.org/jira/browse/SLING-1400
[2] https://issues.apache.org/jira/browse/SLING-1745
[3] http://markmail.org/message/jwsvk6swnxvvfsyz
