Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-4701

SlingAuthenticator.isAnonAllowed matches for all paths starting with the same characters

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Invalid
    • Affects Version/s: Auth Core 1.3.6
    • Fix Version/s: None
    • Component/s: Authentication
    • Labels:

      Description

      The SlingAuthenticator check if anonymous access is allowed compares paths with String.startsWith. If the holder.path does not end with a '/' it will erroneously match a different path that starts with the same characters, even if it is not a descendant of the first path.

      Example:

      • Allow anonymous acces on '/'
      • Deny anonymous access on a path '/blubb'
        -> Authentication is enforced on a request to '/blubb-blah' - which is wrong.

        Attachments

        1. SlingAuthenticator.patch
          0.9 kB
          Lars Krapf
        2. sling-4701-doc.patch
          3 kB
          Santiago García Pimentel

          Issue Links

            Activity

              People

              • Assignee:
                kwin Konrad Windszus
                Reporter:
                chaotic Lars Krapf
              • Votes:
                2 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: