Authentication tokens issued by Oak ( https://jackrabbit.apache.org/oak/docs/security/authentication/tokenmanagement.html ) have an expiry time. The following scenario can happen:
- user is logged in to page at /content/foo.html
- authentication token expires
- user clicks to a link that takes them to the same page - /content/foo.html
Due to the Referer header check in SlingAuthenticator.isLoginLoop the request is considered as part of a loop and does not trigger a redirect to the login page.
We should skip the loop check for expired credentials instead and allow the redirect login to be created.