[ https://issues.apache.org/jira/browse/SLING-2592?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13580969#comment-13580969 ]
Ian Boston commented on SLING-2592: ----------------------------------- The patch looks good, however I cant see how it addresses the reported issue. It does ensure that if the requested hostname is in the cache for both the request scheme (eg https) and the default scheme "", then both sets of PathBasedHolders are made available to the caller. Previously the specific for the scheme was overwritten by the default for the scheme (hence why the patch makes sense). Perhaps the description of the report is wrong. I am not keen on applying the patch until I know why if fixes the problem in the description. I also notice that there is some out of band typing in this area. org.apache.sling.auth.core.impl.PathBasedHolderCache.findApplicableHolder(HttpServletRequest) returns a List<Type extends PathBasedHolder> and when called its cast to List<AbstractAuthenticationHandlerHolder> which although correct at the moment may not remain correct. It could result in a classcast exception if there is anything else implementing a PathBasedHolder. (not certain how important that is). > Anonymous/nonanonymous access grant is not effective for mapped paths. > ---------------------------------------------------------------------- > > Key: SLING-2592 > URL: https://issues.apache.org/jira/browse/SLING-2592 > Project: Sling > Issue Type: Bug > Components: Authentication > Affects Versions: Auth Core 1.0.6 > Reporter: Dominik Smogór > Attachments: authcore-SLING-2592.patch > > > I'm using sling with CQ 5.4 with a custom authentication handler and custom > auth info provider (one that sets "sling.auth.requirements" property). The > handler expects requestCredentials to be called for some paths. When any of > them is mapped (requestResolver.map returns full http URL) the > SlingAuthenticator fails to recognize path as non anonymous and the request > processing ends with 404 error instead of login page redirect. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira