Hi Andy, the sling.auth.requirements don’t mingle with the access rights. This configuration only influences whether the user should be redirected to the login page (in case he is not yet logged in) or not. Hope this helps Konrad
> Am 31.07.2019 um 17:47 schrieb Andreas Schaefer <schaef...@me.com.invalid>: > > Hi > We at Peregrine CMS ran into an issue with Sling 11 and the Sling > Authenticator. I adjusted the scenario to plain Sling to explain. > > OOTB there is not access to /etc/clientlibs/repl/ace.js meaning when I try to > access that page in a browser and are not logged in I will get a 404. > > Now I add ‘-/etc/clientlibs/repl’ to the Sling Authenticator’s > sling.auth.requirements and try again and I will still get a 404. This was > working in Sling 9. Adding read permission to everyone on > /etc/clientlibs/repl makes the file accessible. > > Giving read permission for our case is fine but it seems to me that the Sling > Authenticator’s sling.auth.requirements with ‘-‘ prefix is superfluous as it > does not give access to a node w/o logging in. The only thing it does is to > force a login with ‘+/etc/clientlibs/repl’ even if everyone has access. > > Cheers - Andy
