On Fri, Nov 4, 2011 at 6:13 AM, Felix Meschberger <fmesc...@adobe.com> wrote: > Hi all, > > Stipulated by the Servlet API specification saying, that FORM based > authentication should use request URLs ending with /j_security_check with > request parameters j_username and j_password, most of the Sling > Authentication Handlers involving some form of FORM based authentication (for > example the Form Based Authentication Handler or the OpenID Authentication > Handler), actually use this form of request URLs. > > Likewise these authentication handlers also generally require the POST > request method to be used. > > Sometimes, though an Authentication Handler might be misbehaving or by some > other fact of dynamic life a .../j_security_check POST request might not be > handled by the authentication system and fall through to some POST servlet, > e.g. the Sling POST Servlet. To prevent storing login data in the repository, > I implemented a workaround as of SLING-2120 [1]. > > Yet, it still is a workaround. > > So I am contemplating the following change to the > SlingAuthenticator.handleSecurity method: If the method would return with > true (indicating regular request processing) but the request is POST to > .../j_security_check, then the request should actually fail with a 403. > > Advantage: No inadverted hanlding of this request in the Sling processing > pipeline > Disadvantage: No POST request to any .../j_security_check URL will ever pass > through Sling's Authentication mechanism > > WDYT ?
+1 But I'd suggest making this a configurable list of paths, defaulting to /j_security_check Justin > > Regards > Felix > > [1] https://issues.apache.org/jira/browse/SLING-2120
