First, keep in mind that a 404 is technically correct here - there is no 'tools' node at the root of the repository. It's only via the use of a vanity path that you can access this page at /tools.html as an admin, and only an admin would get access to the real location under /libs (which means the vanity path configuration which is also stored under /libs would only be in effect for admins).
I think for security reasons this is not default behavior on Publish. That is, the normal use case for Publish is really for end users to be accessing it, and thus you would really never want to expose internal functions to them (i.e. you'd restrict them to things under /content and /etc/designs, and the specific servlets you are using).
You could theoretically add a Login Page Mapping of '/libs/granite/core/content/login:/tools' in the Day CQ Login Selector Authentication Handler, and a corresponding Authentication requirement of '+/tools' to the Apache Sling Authentication Service to achieve the desired result. (This would mimic the behavior of the Author.)
But if you do this, I would be very careful to ensure you are restricting access to the server itself and doing rigorous testing to ensure this does not introduce a potential security vulnerability. Personally, I would keep the normal authentication configuration of Publish, since I would be restricting access to /crx/de and /system/console on Publish anyway, and just require admins to log in via CRXDE Lite or Felix before being able to get to /tools.html - but AEM is very flexible so please do what makes the most sense for your use case.
- Carey
