[
https://issues.apache.org/jira/browse/SLING-10383?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17346105#comment-17346105
]
Robert Munteanu commented on SLING-10383:
-----------------------------------------
The expired token checks will make use of the new exception class introduced in
OAK-9433, but without adding a new OSGi dependency.
> Do not check for redirect loops when a login fails due to an expired token
> --------------------------------------------------------------------------
>
> Key: SLING-10383
> URL: https://issues.apache.org/jira/browse/SLING-10383
> Project: Sling
> Issue Type: Improvement
> Components: Authentication
> Reporter: Robert Munteanu
> Assignee: Robert Munteanu
> Priority: Minor
> Fix For: Auth Core 1.5.4
>
>
> Authentication tokens issued by Oak (
> https://jackrabbit.apache.org/oak/docs/security/authentication/tokenmanagement.html
> ) have an expiry time. The following scenario can happen:
> - user is logged in to page at /content/foo.html
> - authentication token expires
> - user clicks to a link that takes them to the same page - /content/foo.html
> Due to the {{Referer}} header check in
> [SlingAuthenticator.isLoginLoop|https://github.com/apache/sling-org-apache-sling-auth-core/blob/a9280cc00465b6880f2993bcaf206e1c29e19de0/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java#L1106-L1118]
> the request is considered as part of a loop and does not trigger a redirect
> to the login page.
> We should skip the loop check for expired credentials instead and allow the
> redirect login to be created.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
