Prevent Login Request loop -------------------------- Key: SLING-1831 URL: https://issues.apache.org/jira/browse/SLING-1831 Project: Sling Issue Type: Improvement Components: Authentication Affects Versions: Auth Core 1.0.2 Reporter: Felix Meschberger Assignee: Felix Meschberger Fix For: Auth Core 1.0.4
Depending on AuthenticationHandler specifics it is conceivable that the Sling Authenticator support may enter an endless redirect loop with the client. Consider this: #1 client provides wrong credentials (e.g. cookie, HTTP Basic authentication header) #2 authenticator decides to call AuthenticationHandler.requestCredentials #3 authentication handler sends a redirect to the client #4 client requests redirect target again providing wrong credentials #5 authenticator decides to call AuthenticationHandler.requestCredentials #6 continue with step #3 This loop should be broken in the authenticator: As soon as the authenticator recognizes a (potential) redirect loop, the authentication handler should not be called again but instead an immediate error response should be sent back. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.