[SLING-1220] [httpauth] Providing illegal credentials is not properly reported - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: Extensions httpauth 2.0.4
Fix Version/s: Extensions httpauth 2.0.6
Component/s: Extensions
Labels:
None

Description

When providing illegal credentials in the login form, the form is silently redrawn without any indication as to what the problem is.

The cause is the cooperation with the login form and the HTTP Header Authentication handler: The login form provides a parameter for the handler to identify the request as coming from the login form as an Ajax request.

If this parameter is set when the requestAuthentication method is called, the response should be indicative of the login failure. And the client side script should identify this failure and display a message.

The mechanism to convey this problem is sending a 403/FORBIDDEN status, which may be caught by the client side script and display the message. We do not use a 401/UNAUTHORIZED in this case, because this is caught by the browser causing the browser to display the standard login box.

Attachments

Activity

People

Assignee:: Felix Meschberger

Reporter:: Felix Meschberger

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 03/Dec/09 14:32

Updated:: 03/Dec/09 14:45

Resolved:: 03/Dec/09 14:45