Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-4701

SlingAuthenticator.isAnonAllowed matches for all paths starting with the same characters

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Invalid
    • Auth Core 1.3.6
    • None
    • Authentication

    Description

      The SlingAuthenticator check if anonymous access is allowed compares paths with String.startsWith. If the holder.path does not end with a '/' it will erroneously match a different path that starts with the same characters, even if it is not a descendant of the first path.

      Example:

      • Allow anonymous acces on '/'
      • Deny anonymous access on a path '/blubb'
        -> Authentication is enforced on a request to '/blubb-blah' - which is wrong.

      Attachments

        1. sling-4701-doc.patch
          3 kB
          Santiago García Pimentel
        2. SlingAuthenticator.patch
          0.9 kB
          Lars Krapf

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. SLING-6053 SlingAuthenticator identifies wrong sibling node with AuthenticationInfo

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Activity

            People

              kwin Konrad Windszus
              chaotic Lars Krapf
              Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: