[ https://issues.apache.org/jira/browse/SLING-10383?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17346105#comment-17346105 ]
Robert Munteanu commented on SLING-10383: ----------------------------------------- The expired token checks will make use of the new exception class introduced in OAK-9433, but without adding a new OSGi dependency. > Do not check for redirect loops when a login fails due to an expired token > -------------------------------------------------------------------------- > > Key: SLING-10383 > URL: https://issues.apache.org/jira/browse/SLING-10383 > Project: Sling > Issue Type: Improvement > Components: Authentication > Reporter: Robert Munteanu > Assignee: Robert Munteanu > Priority: Minor > Fix For: Auth Core 1.5.4 > > > Authentication tokens issued by Oak ( > https://jackrabbit.apache.org/oak/docs/security/authentication/tokenmanagement.html > ) have an expiry time. The following scenario can happen: > - user is logged in to page at /content/foo.html > - authentication token expires > - user clicks to a link that takes them to the same page - /content/foo.html > Due to the {{Referer}} header check in > [SlingAuthenticator.isLoginLoop|https://github.com/apache/sling-org-apache-sling-auth-core/blob/a9280cc00465b6880f2993bcaf206e1c29e19de0/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java#L1106-L1118] > the request is considered as part of a loop and does not trigger a redirect > to the login page. > We should skip the loop check for expired credentials instead and allow the > redirect login to be created. -- This message was sent by Atlassian Jira (v8.3.4#803005)