Robert Munteanu created SLING-10383:
---------------------------------------
Summary: Do not check for redirect loops when a login fails due to
an expired token
Key: SLING-10383
URL: https://issues.apache.org/jira/browse/SLING-10383
Project: Sling
Issue Type: Improvement
Components: Authentication
Reporter: Robert Munteanu
Assignee: Robert Munteanu
Fix For: Auth Core 1.5.4
Authentication tokens issued by Oak (
https://jackrabbit.apache.org/oak/docs/security/authentication/tokenmanagement.html
) have an expiry time. The following scenario can happen:
- user is logged in to page at /content/foo.html
- authentication token expires
- user clicks to a link that takes them to the same page - /content/foo.html
Due to the {{Referer}} header check in
[SlingAuthenticator.isLoginLoop|https://github.com/apache/sling-org-apache-sling-auth-core/blob/a9280cc00465b6880f2993bcaf206e1c29e19de0/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java#L1106-L1118]
the request is considered as part of a loop and does not trigger a redirect to
the login page.
We should skip the loop check for expired credentials instead and allow the
redirect login to be created.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
