The SlingAuthenticator check if anonymous access is allowed compares paths with String.startsWith. If the holder.path does not end with a '/' it will erroneously match a different path that starts with the same characters, even if it is not a descendant of the first path.
- Allow anonymous acces on '/'
- Deny anonymous access on a path '/blubb'
-> Authentication is enforced on a request to '/blubb-blah' - which is wrong.