Dominique Jäggi created SLING-4624: --------------------------------------
Summary: Implement Subject-Support for Events, Preprocessors and Jobs Key: SLING-4624 URL: https://issues.apache.org/jira/browse/SLING-4624 Project: Sling Issue Type: Improvement Components: ResourceResolver Affects Versions: Resource Resolver 1.2.4 Reporter: Dominique Jäggi When processing events or jobs the corresponding session that triggered the event is usually lost. This leads to event handlers and job processors often using administrative sessions to do their work. As per the effort of eliminating all loginAdministrative use, there must be an alternative solution. There preferred approach to solve this problem: * Pass a serialization of the event-causing Subject in the event payload, and create a ResourceResolver based on that subject (e.g. using JAAS doAsPrivileged in the ResourceResolverFactory). ** Pros: "Clean" implementation from a security POV. Avoids re-authentication. Operates with the original privileges. Security relevant code transparent to the consumer of the event. ** Cons: Needs refactoring. Security relevant code transparent to the consumer of the event (might also lead to problems). -- This message was sent by Atlassian JIRA (v6.3.4#6332)