[jira] [Resolved] (SLING-3633) Sling uses wrong value for Principal object

Thu, 05 Jun 2014 23:54:24 -0700 

     [ 
https://issues.apache.org/jira/browse/SLING-3633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso resolved SLING-3633.
----------------------------------

       Resolution: Fixed
    Fix Version/s: Engine 2.3.4

fixed in rev. 1600814. Thanks [~fmeschbe] for hinting me the right solution

> Sling uses wrong value for Principal object
> -------------------------------------------
>
>                 Key: SLING-3633
>                 URL: https://issues.apache.org/jira/browse/SLING-3633
>             Project: Sling
>          Issue Type: Bug
>          Components: Authentication
>            Reporter: Ilyas Türkben
>            Assignee: Antonio Sanso
>             Fix For: Engine 2.3.4
>
>
> Sling uses resolver.getUserID() to set the HttpContext.REMOTE_USER on the 
> request object which used later to the instantiation of the Principal object.
> Sling should use the rep:principalName instead of resolver.getUserID().
> {code:java}
>  // org.apache.sling.auth.core.impl.SlingAuthenticator
>     /**
>      * Sets the request attributes required by the OSGi HttpContext interface
>      * specification for the <code>handleSecurity</code> method. In addition 
> the
>      * {@link SlingAuthenticator#REQUEST_ATTRIBUTE_RESOLVER} request attribute
>      * is set to the ResourceResolver.
>      */
>     private void setAttributes(final ResourceResolver resolver, final String 
> authType,
>             final HttpServletRequest request) {
>         // HttpService API required attributes
>         request.setAttribute(HttpContext.REMOTE_USER, resolver.getUserID());
>         request.setAttribute(HttpContext.AUTHENTICATION_TYPE, authType);
>         // resource resolver for down-stream use
>         request.setAttribute(REQUEST_ATTRIBUTE_RESOLVER, resolver);
>         log.debug(
>             "setAttributes: ResourceResolver stored as request attribute: 
> user={}",
>             resolver.getUserID());
>     }
> {code}
> Below *jrAuthorizable is NULL* when the userID(node name) is not equals to 
> rep:principalName property. This is a sample code to reproduce the issue in a 
> servlet.
> {code:java}
>       final Principal principal = request.getUserPrincipal();
>       final org.apache.jackrabbit.api.security.user.UserManager jrUserManager 
> = 
> request.getResourceResolver().adaptTo(org.apache.jackrabbit.api.security.user.UserManager.class);
>       final org.apache.jackrabbit.api.security.user.Authorizable 
> jrAuthorizable = jrUserManager.getAuthorizable(principal);
> {code}
> Basically to reproduce the issue, create a user, change the 
> rep:principalName,  login with the userID, use the api to get a Authorizable 
> object with using the  request.getUserPrincipal();



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to