AEM6.5 Apache Sling Authentication Service configuration not work

Question

I am running a AEM author service, in Apache Sling Authentication Service I didn't add /system/sling/junit/.html into Authentication Requirements, and Allow Anonymous Access is unchecked, but still could access /system/sling/junit/.html without login.

1. What's the reason for that?
2. How could I enforce login to access all pages(there are maybe some other pages could be access without login).

Answer 1

The JUnitServlet bypasses Sling-Authentication completely. If you look into the code, it registers directly as an OSGi servlet (via the OSGi http-service). It is registered parallel to the SlingMainServlet. So there is no way to enforce Sling Authentication from the outside. The JUnitServlet itself had to enforce Authentication (like the /system/console). It is open source, so you could add this feature in theory.

https://github.com/apache/sling-org-apache-sling-junit-core/blob/master/src/main/java/org/apache/sling/junit/impl/servlet/JUnitServlet.java

Also the documentation says, that it has no authentication:

Note that the JUnitServlet does not require authentication, so it would allow any client to run tests. The servlet can be disabled by configuration if needed, but in general the /system path should not be accessible to website visitors anyway.

https://sling.apache.org/documentation/bundles/org-apache-sling-junit-bundles.html#more-details-on-the-junitservlet