[
https://issues.apache.org/jira/browse/SLING-6053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15885587#comment-15885587
]
Konrad Windszus edited comment on SLING-6053 at 2/27/17 11:09 AM:
------------------------------------------------------------------
[~asanso] The patch is only a heuristic and does not work for all cases. Just
imagine the following use case
{{resource1}} requires authentication
{{resource1.test2}} does not require authentication
In that case the latter would also be covered by your logic in
{{isNodeRequiresAuthHandler}} which returns {{true}} but in fact it should not.
I am not sure, whether that behavior is better or worse than before. (Better
because it will for most of the cases work as expected, worse, because it is
even harder to document the behavior for resource names containing "." itself).
The problem is that with just having the request URL String you cannot tell,
what is a selector and what belongs to the resource's name.
was (Author: kwin):
[~asanso] The patch is only a heuristic and does not work for all cases. Just
imagine the following use case
{{resource1}} requires authentication
{{resource1.test2}} does not require authentication
In that case the latter would also be covered by your logic in
{{isNodeRequiresAuthHandler}} but in fact it should not.
I am not sure, whether that behavior is better or worse then before. (Better
because it will for most of the cases work as expected, worse, because it is
even harder to document the behaviour for resource names containing "." itself).
The problem is that with just having the request URL String you cannot tell,
what is a selector and what belongs to the resource's name.
> SlingAuthenticator identifies wrong sibling node with AuthenticationInfo
> ------------------------------------------------------------------------
>
> Key: SLING-6053
> URL: https://issues.apache.org/jira/browse/SLING-6053
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Auth Core 1.3.18
> Reporter: Miklos Csere
> Assignee: Antonio Sanso
> Priority: Blocker
> Attachments: SLING-6053-patch.txt
>
>
> Issue can be reproduced with the following steps:
> Create node "/page"
> Create sibling node "/page1"
> Define a protection handler for node: "/page"
> Expected:
> "/page" has AuthenticationInfo
> "/page1" does not have AuthenticationInfo (has anonymous)
>
> Actual: "/page" & "page1" are both having AuthenticationInfo
>
> Reason: SlingAuthenticator.java line 726: if (path.startsWith(holder.path))
> Warning: The same check is used in 4 more places in code with similar
> behaviour.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
